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1  A.  Abstract 

A  System  Safety  study  was  conducted  to  assess  the  overall  safety 
characteristics  associated  with  use  of  the  airborne  collision  avoidance 
system  called  minimum  TCAS  II  (Traffic  Alert  and  Collision  Avoidance 
System).  The  limitations  imposed  by  incomplete  transponder  equipage, 
altimetry  instrumentation  errors,  and  suddenly  maneuvering  intruders 
were  quantified.  Other  failure  mechanisms,  including  those  related  to 
human  factors,  were  also  assessed.  The  role  of  visual  acquisition  and 
a  quantitative  evaluation  of  it  was  explored.  The  impact  on/8ystem 
Safety  caused  by  the  failure  modes  and  their  interrelations  was 
evaluated  by  means  of  a  fault  tree  analysis. 
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FOREWORD 


The  TCAS  System  Safety  study  was  initiated  within  the  TCAS  Program 
of  the  Federal  Aviation  Administration  (FAA)  shortly  after  the  Third 
TCAS  Symposium  as  a  means  for  formalizing  several  ongoing  analyses 
of  TCAS  performance  and  to  address  specific  safety  concerns  voiced 
by  the  aviation  community.  Five  reviews  of  study  progress  were  held 
at  FAA  Headquarters  during  the  10-month  study  period  in  which  a 
broad  spectrum  of  the  aviation  community  participated.  This 
participation  was  very  helpful  in  providing  feedback  to  the  study 
team  from  the  prospective  user  community  and  also  to  assure  that  all 
major  topics  of  interest  were  considered. 

The  study  team,  headed  by  the  MITRE  Corporation,  developed  a 
comprehensive  methodology  for  the  analyses  of  TCAS  safety  in 
addition  to  providing  a  quantitative  evaluation  of  TCAS 
performance.  The  sensitivity  analysis  conducted  as  part  of  the 
overall  study  is  of  particular  importance  since  this  analysis 
clearly  delineates  the  effect  of  system  parameter  modification  upon 
system  safety.  Specifically,  it  is  shown  that  increasing  the  TCAS 
logic  parameter,  ALIM,  by  less  than  20  percent  at  the  lower  altitude 
bands  reduced  the  effects  of  altimetry  error  by  approximately  50 
percent.  On  the  basis  of  this  analysis,  the  ALIM  values  specified 
for  the  TCAS  Minimum  Operational  Performance  Standards  (MOPS)  were 
modified  accordingly. 

In  the  near  future  a  new  study  will  be  conducted  to  extend  the 
safety  study  results  for  air  carrier  flight  in  Instrument 
Meteorological  Conditions  (IMC).  This  study  will  assess  the  safety 
of  TCAS  usage  in  controlled  airspace  in  which  virtually  all 
participants  are  operating  under  Instrument  Flight  Rules  (IFR),  and 
will  consider  the  effects  of  relative  geometry  and  dynamics, 
operational  factors  and  other  pertinent  parameters  affecting  the 
utilization  of  TCAS  in  this  flight  regime. 


Joe  Fee,  Director 

TCAS  System  Safety  Study 

11/10/83 
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EXECUTIVE  SUMMARY 


1.  Introduction 

This  report  describes  a  System  Safety  study,  which  was  conducted  to 
assess  the  overall  safety  characteristics  associated  with  use  of  the 
Minimum  TCAS  II  airborne  collision  avoidance  system.  Emphasis  has 
been  placed  on  principal  limitations  and  failure  mechanisms.  The 
System  Safety  study,  an  overall  assessment  of  the  interrelation  of 
avionics,  the  pilots,  and  the  air  traffic  advisory  system,  uses  the 
"fault  tree"  technique  to  structure  a  "top  down"  analytical 
approach. 

The  TCAS  system  is  a  cooperative  one  in  that  information  on  the 
intruder  is  obtained  by  interrogating  its  ATC  transponder  and  then 
predicting  whether  the  aircraft  will  approach  too  closely  within  the 
next  half-minute.  The  system  must  consider  the  following  basic 
limitations: 

•  Lack  of  universal  Mode  C  equipage 

•  Errors  in  reported  altimetry 

•  Susceptibility  to  being  deceived  by  an  intruder's  sudden 
maneuver 

In  addition,  the  internal  failure  mechanisms  treated  are  as  follows: 

•  The  surveillance  function  of  TCAS 

•  Bit  errors  in  the  intruder's  transponder  reply  of  altitude 


•  Avionics  failures 


A  related  mode  of  failure  includes  pilot  errors  in  using  a  normally 
performing  TCAS.  All  of  these  events  are  evaluated  in  this  System 
Safety  study. 

For  the  purpose  of  the  study,  these  limitations  and  failure 
mechanisms  are  those  faults  which  could  result  in  a  near  midair 
collision  (NMAC).  An  NMAC  is  defined  here  as  an  encounter  for 
which,  at  the  closest  point  of  approach,  the  vertical  separation  is 
less  than  100  ft  and  the  horizontal  separation  is  less  than  500  ft. 

In  a  TCAS  II  environment  NMACs  can  occur  in  either  of  two  ways:  the 
aircraft  can  be  on  near  collision  course  and  TCAS  II  fails  to 
provide  resolution  (the  unresolved  NMAC);  or  the  aircraft  can  be  in 
close  proximity  and  TCAS  II  can  induce  a  maneuver  which  degrades 
vertical  separation  to  the  extent  that  an  NMAC  occurs  (the  induced 
NMAC). 

To  evaluate  the  relative  effect  of  TCAS  on  System  Safety,  a  term 
called  "Risk  Ratio”  is  defined  and  computed  using  real-world  data. 
This  factor  is  the  risk  of  encountering  an  NMAC  when  equipped  with 
TCAS,  relative  to  the  risk  when  not  so  equipped.  Using  the  NMAC  as 
a  defined  failure  condition  provides  a  quantitative  measure  for 
calculations;  using  the  Risk  Ratio  places  the  calculations  of  System 
Safety  on  a  direct  comparative  basis.  A  framework  for  combining 
these  probabilities  is  provided  by  a  formal  fault  tree  analysis  of 
the  events  which,  in  combination,  could  lead  to  an  NMAC. 

Succeeding  sections  deal  with  the  conduct  of  the  study  itself.  The 
results  are  summarized  in  Section  9  and  the  conclusions  are  given  in 
Section  10. 


2.  Overview  of  Minimum  TCAS  II 

The  minimum  TCAS  II  uses  active  interrogation  of  ATC  transponders  to 
track  nearby  aircraft  in  slant  range  and  relative  altitude;  it  uses 
these  to  assess  the  collision  threat  potential  and  to  generate 
appropriate  collision  avoidance  advisories.  It  provides  the  pilot 
with  Traffic  Advisories  (TAs)  and  with  Resolution  Advisories  (RAs). 
In  collision  encounters,  the  system  design  assures  that  the  TA 
normally  occurs  approximately  15  seconds  before  the  RA.  The  TA  can 
be  presented,  perhaps  on  a  weather  radar  CRT  display,  in  a  graphical 
format  which  provides  the  range,  bearing,  and  relative  altitude  of 
the  potential  threat. 

As  an  option,  non-Mode  C  aircraft  may  also  be  tracked.  If  an 
intruding  aircraft  is  not  reporting  altitude  through  its 
transponder,  it  is  not  possible  to  determine  If  the  aircraft  is  a 
potential  collision  threat.  Therefore,  for  intruders  not  equipped 
with  altitude  reporting,  TCAS  II  may  generate  TAs  but  will  not 
generate  RAs.  However,  if  the  aircraft  were  on  near  collision 
course,  such  TAs  would  enhance  visual  acquisition. 

An  aircraft  is  declared  to  be  a  collision  threat  to  the  TCAS 
aircraft  if  its  current  position,  or  its  projected  position, 
simultaneously  violate  range  and  relative  altitude  criteria. 
Generally,  an  aircraft  will  be  declared  to  be  a  collision  threat 
20-30  seconds  before  closest  approach,  at  which  time  an  RA  is 
displayed.  This  provides  time  for  an  escape  maneuver  by  the  pilot. 

The  RA  (e.g..  Climb,  Descend,  Don't  Climb,  etc.)  is  chosen  to 
provide  a  specific  margin  of  separation  with  a  minimum  change  in  tne 
existing  flight  path  of  the  TCAS  II  aircraft.  The  minimum  TCAS  II 
utilizes  maneuvers  in  the  vertical  plane  only. 


3.  TCAS  Environment 

To  characterize  the  environment  of  the  average  air  carrier  with 
TCAS,  the  following  sources  of  data  are  used: 


•  Incident  reports  on  NMACs  collected  by  the  FAA 

•  TCAS  data  as  recorded  on  Piedmont  Airlines  operational 
flights 

•  TCAS  operations  as  recorded  on  the  FAA  B727  aircraft  in 
flights  at  Atlantic  City,  Washington,  and  Chicago. 

Each  of  these  data  sources  are  examined,  and  cross  checked,  to 
obtain  some  measure  of  the  probability  of  various  events  in  the 
fault  tree.  The  major  findings  from  this  investigation  are  the 
following: 

•  Bright  daylight  conditions  occurred  for  70  percent  of  the 
NMAC  incidents.  Visual  acquisition  will  be  conservatively 
assumed  to  be  Impossible  for  all  other  conditions. 

•  Instrument  Meteorological  Conditions  (IMC)  occurred  for  less 
than  16  percent  of  the  NMAC  incidents. 

•  The  other  aircraft  in  an  NMAC  incident  report  is  equipped 
with  a  transponder  in  92  percent  of  the  cases.  Of  these,  66 
percent  are  also  equipped  with  Mode  C  (i.e.,  61  percent  of 
the  threats  have  Mode  C  altitude  reporting  transponders). 


•  The  distribution  of  conflicting  aircraft  in  relative 
altitude  at  the  closest  point  of  approach  is  approximately 
uniform  over  a  wide  range  of  relative  altitudes.  This 
important  result  is  used  in  the  analyses.  It  was  observed 
in  the  Piedmont  flights,  both  for  the  RAs,  and  for  the  TAs; 
it  was  observed  for  all  tracks  recorded  on  flights  with  the 
FAA  aircraft  in  the  vicinity  of  Chicago,  as  well  as 
Washington. 

•  Data  was  obtained  for  the  distribution  of  altitude  rates  and 
the  probability  of  a  level-off  maneuver.  These  enable  a 
calculation  of  the  susceptibility  of  TCAS  being  deceived  by 
a  sudden  maneuver  of  a  threat  aircraft. 

•  The  current  risk  of  encountering  an  NMAC  is  estimated  as  1 
in  100,000  hours.  This  value  is  recognized  as  being 
approximate;  it  is  roughly  sustained  by  four  different 
estimates.  The  principal  analysis,  however,  is  independent 
of  this  value,  a  relative  comparison  is  obtained  instead. 

4.  Principal  Limitations 

As  a  step  in  determining  the  probabilities  of  various  events  in  the 
fault  tree,  estimates  are  made  independently  of  the  relative 
probability  (Risk  Ratio)  of  (1)  the  intruder  being  Mode  C  equipped, 
(2)  of  having  excessive  altimetry  error,  and  (3)  of  making  a  sudden 
contrary  maneuver. 

Mode  C  Equipage 

Since  it  was  found  that  about  61  percent  of  the  intruders  involved 
in  an  NMAC  were  equipped  for  Mode  C  altitude  reporting,  that 
represents  the  maximum  benefit  that  the  TCAS  RA  could  provide  in 
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today's  environment.  That  is,  at  best,  61  percent  of  the  current 
NMACs  could  be  avoided  with  today's  level  of  equipage.  However,  a 
large  fraction  of  aircraft  involved  in  NMACs  hav-  transponders  (92 
percent),  even  if  they  do  not  have  Mode  C.  If  the  non-Mode  C 
tracking  feature  were  available  in  TCAS,  "altitude  unknown"  TAs 
could  be  provided.  If  the  intruder  is  really  on  a  near  collision 
course,  this  feature,  patterned  after  the  ATC  practice  of  announcing 
traffic  of  concern,  should  be  helpful  in  alerting  the  TCAS  pilot. 

Altimetry  Errors 

The  vertical  separation  between  two  conflicting  aircraft  is  measured 
as  the  difference  between  own  altitude  and  that  of  the  intruder's 
altitude  as  reported  in  his  Mode  C  reply.  The  TCAS  aircraft  is 
required  to  have  relatively  high  accuracy  altimetry,  as  is  commonly 
found  on  air  carrier  aircraft;  an  intruding  general  aviation 
aircraft  might  have  lower  accuracy.  The  magnitudes  of  these  errors 
are  assessed  and  used  in  the  calculations. 

Errors  in  altimetry  can  cause  two  types  of  effects:  first,  if  the 
aircraft  are  on  a  near  collision  course,  errors  could  indicate  safe 
passage,  and  so  the  impending  NMAC  would  be  unresolved;  second,  if 
the  aircraft  were  almost  on  a  near  collision  course,  but  were 
separated  in  altitude,  errors  could  lead  to  making  a  maneuver  which 
would  lead  to  inducing  an  NMAC.  These  two  effects  are  evaluated 
relative  to  the  risk  of  encountering  the  NMAC  without  TCAS.  Only 
some  combinations  of  altimetry  error  and  actual  physical  position 
can  lead  to  these  failures.  The  collision  avoidance  logic  has 
various  parameters  designed  to  tolerate  some  degree  of  altimetry 
error,  the  principal  parameter  being  ALIM,  the  nominal  separation 
that  TCAS  tries  to  ensure.  If  the  error  is  significantly  less  than 


ALIM,  the  TCAS  aircraft  will  maneuver  through  the  error  and  be 
clear.  If  the  error  is  nearly  ALIM  or  more,  the  choice  of  maneuver 
can  be  wrong. 

The  Risk  Ratio  is  calculated  by  identifying  those  combinations  of 
altimetry  error  and  geometrical  position  that  could  lead  to  an  NMAC, 
and  then  weighting  those  combinations  by  their  probabilities  of 
occurrence.  Geometrical  position,  as  noted  earlier,  was  found  to  be 
uniformly  distributed;  altimetry  error  is  assumed  normally 
(Gaussian)  distributed.  The  result  is  then  normalized  to  the 
probability  of  a  pre-existing  NMAC  to  obtain  the  Risk  Ratio. 

During  the  course  of  the  study,  it  appeared  desirable  and  convenient 
to  obtain  a  substantial  improvement  by  a  modest  change  to  the 
parameter  ALIM  at  low  altitudes.  Making  this  change  and  assuming 
all  intruders  to  have  general  aviation  quality  altimetry 
(uncorrected  for  static  source  error),  the  Risk  Ratio,  weighted  to 
account  for  altitude  distribution  is  3.1  percent,  as  shown  in 
Table  1,  The  meaning  of  this  is  that,  if  all  aircraft  in  near 
encounters  had  that  altimetry  error  characteristic,  and  any 
resulting  Resolution  Advisory  were  followed,  the  resulting  number  of 
NMACs  would  be  3.1  percent  of  those  that  would  otherwise  have 
occurred  without  TCAS.  Of  course,  other  factors  enter  into  the 
complete  picture  —  not  all  intruders  are  mode  C  equipped;  some  have 
better  altimetry;  visual  acquisition  is  improved  by  the  Traffic 
Advisory  display.  The  full  picture  is  put  together  in  Section  9, 
Findings . 

The  sensitivity  to  the  assumed  Gaussian  distribution  is  also 
investigated  by  replacing  it  by  a  symmetrical  exponential 
distribution  having  the  same  standard  deviation,  which  has  much 
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TABLE  1 

EFFECTS  OF  ALTIMETRY  ERROR  FOR  MODIFIED  ALIM 


ALT. 

I  ALIM 

l 

1 

I  RSS 

|  ERROR 

I  (SIGMA) 

1 

1  l  l 

I  FRACTION  OFl  I 

I  NMAC  IN  |  | 

I  ALTITUDE  |  RISK  | 

1  BAND  |  RATIO  | 

1  1  1 

WEIGHTED 

RISK 

RATIO 

5  Kft 

H 1 1 

1 

1  143  ft 

| 

1  .44 

1  r 

1  .0269  1 

1  1 

.0118 

10 

1 

1  156 

1 

1  .31 

1  1 

1  .0485  1 

1  1 

.0150 

15 

1  175 

1 

i  .17 

1  l 

1  .0231  1 

1  1 

.0039 

20 

1  640 

1 

1  190 

1 

1  .03 

1  1 

1  .0051  I 

| 

.0002 

25 

1  640 

1 

I  206 

1 

1  .01 

1  .0117  | 

1  1 

.0001 

30 

1  640 

1 

1  220 

1 

1  .03 

1  ! 

1  .0210  | 

I  I 

.0006 

35 

1  740 

i 

1  239 

1  .01 

1  .0125  1 

.0001 

Total  = 
Unresolved 

Induced  = 

.0317 
-  .0143 

.0174 

I 

Notes : 


Errors  are  1. 

2. 

3. 


Own  altimetry  (A/C  Quality) 
Intruder  altimetry  (GA  Quality) 
150  fpm  tracking  bias  error 


DELTA  =  75  ft  (Corrective  advisory  is  maintained  until  the 
apparent  separation  is  ALIM  +  75  ft) 
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"heavier  tails."  The  result  of  that  investigation  is  found  to  be 
equivalent  to  that  for  a  Gaussian  distribution  with  a  15  percent 
higher  error. 

Maneuvering  Intruder 

If  an  intruder  is  equipped  only  with  a  transponder  and  Mode  C 
encoder,  but  not  with  TCAS,  there  is  no  way  to  coordinate 
maneuvers.  Thus,  an  escape  maneuver  on  the  part  of  the  TCAS 
aircraft  could  be  thwarted  ("faked  out")  by  a  sudden  contrary 
maneuver  on  the  part  of  the  intruder.  In  such  a  situation  TCAS 
could  be  said  to  induce  an  NMAC.  This  characteristic  is  evaluated 
by  accounting  for  the  behavior  of  the  collision  avoidance  logic  and 
by  using  recorded  data  to  characterize  the  intruder's  maneuver. 

The  scenario  of  most  concern  is  one  in  which  the  TCAS  aircraft  is 
level,  and  the  intruder  has  a  substantial  vertical  rate  and  will 
cross  in  front  of  the  TCAS  aircraft.  As  an  example,  the  TCAS 
aircraft  is  level  and  the  intruder  is  descending  to  cross  in  front 
of  TCAS.  At  the  closest  point  of  approach  the  intruder  would  be 
close  horizontally  and  within  ALIM  below.  TCAS  will  then  display  a 
Climb  indication,  which  the  pilot  would  presumably  follow.  In  order 
for  an  NMAC  to  occur,  the  intruder  must  level  off  in  a  critical  time 
window  and  at  a  critical  altitude.  Using  data  from  the  Piedmont 
flights,  the  probability  of  a  maneuver  within  the  time  window, 
together  with  the  observed  vertical  rates,  were  used  to  assess  the 
susceptibility  of  TCAS  to  the  fake-out.  Relative  to  the 
pre-existing  risk  of  an  NMAC,  the  Risk  Ratio  is  found  to  be  2.7 
percent.  Using  the  data  from  the  FAA  flights,  instead  of  the 
Piedmont  data,  and  using  a  different  methodology  for  estimation, 
similar  results  are  obtained. 
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5.  Failure  Mechanisms 


The  internal  failure  mechanisms  pertain  to  (1)  surveillance,  (2) 
persistent  bit  errors  in  the  intruder's  reply  of  altitude,  and  (3) 
various  combinations  of  failures  in  the  avionics  of  either  aircraft. 

Surveillance 

Many  hours  of  TCAS  airborne  data  is  examined,  both  from  1982  flights 
in  a  Boeing  727  and  from  1983  flights  in  a  Cessna  421.  The  analysis 
shows  that,  by  far,  the  surveillance  characteristic  of  most  concern 
is  the  missed  track  rate.  The  typical  performance  is  found  to  be  a 
miss  rate  of  .06  at  the  time  of  the  TA,  and  .03  at  the  time  of  the 
RA. 


Mode  C  Bit  Failure 

The  impact  of  a  persistent  Mode  C  encoder  bit  failure  is  examined. 
The  failure  of  concern  is  a  "stuck  low  order  bit";  the  high  order 
bits  are  of  much  less  concern,  since  they  represent  errors  of  500  ft 
or  more  and  are  very  likely  to  be  detected  by  other  means.  The  low 
order  bits  provide  errors  of  100  ft,  and  can  go  undetected;  their 
principal  potential  harm  is  not  in  the  altitude  error  itself  but  in 
the  altitude  rate,  which  can  cause  an  erroneous  30-second 
prediction.  The  wrong  combination  of  circumstances  could  cause  an 
induced  NMAC. 

Data  from  TCAS  flights,  supplemented  by  data  taken  by  ground  radars 
at  NASA's  Wallops  Island  facility  give  a  measure  of  the  frequency  of 
occurrence  of  this  kind  of  failure.  That  is  combined  with  the 
results  of  simulations  on  the  TCAS  altitude  tracker  to  determine  the 
ultimate  effects.  It  is  concluded  that  the  Risk  Ratio  ascribable  to 
a  stuck  C-bit  is  about  0.2  percent — considerably  less  than  that 
arising  from  altimetry  error  or  maneuvering  intruders. 


Equipment  Failure 

Some  hardware  failures  in  TCAS  and  in  the  intruder's  transponder 
could  cause  an  induced  NMAC — a  list  of  such  generic  failures  is 
provided  in  Appendix  F.  To  assure  that  this  type  of  failure  is 
remote,  an  approach  is  given  which  indicates  a  relation  between  mean 
time  between  failure,  performance  monitoring,  and  periodic 
maintenance  to  achieve  these  goals. 

6.  Visual  Acqusitlon 

The  study  assumes  that  if  the  pilot  of  the  TCAS  aircraft  visually 
acquires  a  conflicting  aircraft,  he  will  avoid  it.  Data  from 
flights  made  both  on  the  TCAS  program  and  on  the  earlier 
ground-based  anticollision  system.  Intermittent  Positive  Control, 
validated  a  theoretical  model  of  visual  acquisition.  Applying  the 
results  of  the  model  to  a  variety  of  aircraft,  crossing  angles,  and 
speeds,  in  clear  weather,  it  is  found  that  the  probability  of  visual 
acquisition  is  about  0.83.  In  good  weather,  visual  acqusition,  as 
aided  by  the  TCAS  TAs,  can  play  an  important  role  in  collision 
avoidance . 

7.  Fault  Tree  for  TCAS  Safety  Analysis 
The  fault  tree  constructed  for  this  study  provides  both  a 
qualitative  and  a  quantitative  means  to  identify  and  analyze  failure 
modes  in  the  overall  system.  A  fault  tree  identifies  all  possible 
means  by  which  the  undesired  event  (NMAC)  can  occur,  organizes  them 
into  a  logical  structure  to  study  the  processes  leading  to  failures, 
and  systematically  identifies  all  their  root  causes  and 
interactions. 


The  two  primary  types  of  TCAS  failures,  which  we  are  interested  in 
evaluating  are: 


1. 


Two  aircraft  are  on  flight  paths  such  that  the  pilot  will 
need  to  make  a  maneuver  in  order  to  avoid  an  NMAC;  TCAS 
does  not  provide  an  advisory  adequate  to  enable  the  pilot 
to  avoid  it.  This  is  an  "Unresolved  NMAC". 

2.  Two  aircraft  are  on  flight  paths  such  that  if  no  maneuver 
is  made,  an  NMAC  will  not  occur  (the  aircraft  will  pass 
safely  in  the  vertical  dimension).  A  faulty  instruction 
is  issued  (in  particular,  a  Resolution  Advisory)  which  is 
followed,  causing  a  critical  NMAC  to  occur.  This  is  an 
"Induced  NMAC". 

The  top-level  fault  tree  for  these  events  is  shown  in  Figure  1. 

Each  of  these  events  is  further  subdivided  in  the  trees  shown  in 
Figures  2  and  3. 

Table  2  is  a  summary  of  the  basic  probabilities  obtained  from  the 
analyses  conducted  in  this  study.  From  this  data  the  failure  rates 
of  various  events  in  the  fault  tree  can  be  obtained. 

In  addition  to  these  quantified  probabilities,  there  are 
human-factor  considerations  which  are  less  easily  quantified,  there 
being  no  historical  data  base.  These  account  for  the  use  of  visual 
acquisition,  the  use  of  the  Traffic  Advisory,  and  the  use  of  the 
Resolution  Advisory.  In  turn,  these  may  be  broken  down  further 
depending  upon  whether  an  action  is  taken  or  not  taken. 

•  Visual  Acquisition  (V).  Upon  visual  acquisition,  as  aided 
by  TCAS,  it  is  expected  that  the  pilot  will  be  able  to  avoid 
an  NMAC.  However,  this  might  fail  in  one  of  two  ways: 
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NEAR  MIDAIR  COLLISION  (NMAC): 


TCAS  FAULT  TREE:  TOP  EVENT  (CRITICAL  NMAC) 


TABLE  2 

SUMMARY  OF  BASIC  PROBABILITIES 


CONDITION  PRESENT 

Instrument  Meteorological  Conditions 

Bright  Daylight  Conditions 

GA  and  "other"  Aircraft 

Intruder  is  Transponder  Equipped 

Intruder  is  Mode  C  Transponder  Equipped 

Risk  Ratio  for  GA  Altimetry 
Unresolved  Component 
Induced  Component 

Risk  Ratio  for  Maneuvering  Intruder 

Probability  of  not  being  tracked 
at  time  of  TA 
at  time  of  RA 

Risk  Ratio  for  "Stuck  C-Bit" 

Risk  Ratio  for  Equipment  Failure 

Probability  of  not  visually  acquiring  in 
bright  daylight  conditions 
by  15  s  before  CPA 
by  time  of  RA 


PROBABILITY 

.16 

.70 

.79 

.92 

.61 

.0317 

.0143 

.0174 

.027 

.06 

.03 

.002 

.0001 

.17 

.35 


-  VNA:  The  pilot  visually  acquires  the  threat,  but  does 
Not  Avoid  the  NMAC. 

-  VMIR:  The  pilot  visually  acquires  the  threat  but  still 
Maneuvers  on  an  Incorrect  Resolution  Advisory. 

•  Resolution  Advisory  (R):  Expedient  action,  at  least 
compatible  with  the  RA,  is  necessary.  Various  factors  may 
inhibit  the  pilot's  reaction  thereby  failing  to  avoid  an 
NMAC.  This  leads  to  the  following  failure: 

-  RNF:  The  pilot  does  Not  JFollow  the  RA. 

•  Traffic  Advisory  (T):  The  intent  of  the  TA  is  to  alert  the 
pilot  to  search  for  the  intruder.  If  visual  acquisition  is 
not  achieved  and  action  is  taken  on  the  TA  alone,  failure 
may  occur  in  one  of  two  ways: 

-  TNA:  Based  on  his  interpretation  of  the  TA,  the  pilot 
disregards  an  RA  or  what  he  sees  and  does  Not  Avoid  the 
NMAC. 

-  TI:  The  pilot  maneuvers  to  Induce  an  NMAC  based  on  his 
interpretation  of  the  TA. 

These  five  failure  mechanisms  are  tested  as  variables  in  the 
analysis. 

The  evaluation  of  the  fault  tree  is  simplified  if  a  nominal,  or 
baseline,  set  of  operational  conditions  is  assumed.  Variations  from 
these  nominal  conditions  are  then  explored  in  a  subsequent  analysis 


of  the  sensitivity  to  these  assumptions.  The  assumed  nominal 
conditions  are: 

1.  If  a  pilot  visually  acquires  a  conflicting  aircraft,  he 
will  avoid  it. 


2.  In  absence  of  visual  acquisition,  the  pilot  follows  the 
Resolution  Advisory. 

3.  Visual  acquisition,  as  aided  by  the  Traffic  Advisory 
display  for  Mode  C  aircraft,  is  assumed  to  be  effective 
only  in  bright  daylight. 

4.  The  airborne  traffic  has  today's  level  of  transponder  and 
Mode  C  equipage. 

5.  The  intruder  is  not  TCAS~equipped .  (If  the  intruder  were 
TCAS-equipped ,  it  would  have  air  carrier  quality  altimetry, 
and  its  displayed  escape  maneuver  would  be  coordinated.) 

6.  No  "false  moves”  are  made  by  the  TCAS  pilot  either  from 
confusion  or  from  prematurely  maneuvering  based  on  a 
Traffic  Advisory. 


7.  Today’s  level  of  vigilance  for  see-and-avoid  procedures  is 
maintained;  that  is,  TCAS  does  not  cause  the  pilot  to  relax 
his  guard. 

Evaluating  the  fault  tree  proceeds  with  evaluating  both  of  the  major 
branches  under  these  nominal  conditions,  to  get  the  probability  of 
the  top  event. 


*  *  Ji  •  -  • 


*  *  'V 


Unresolved  NMAC  (The  000  Branch) 

Evaluation  of  this  branch  (called  event  2-000)  proceeds  by  setting 
all  ATC  faults  to  a  failure  probability  of  1.0  (such  failure  is 
presumed  to  have  already  occurred,  or  the  pre-existing  NMAC  would 
not  be  in  process).  We  can  summarize  the  failure  modes  and  their 
relative  probabilities  which  do  not  include  human  factors  as  follows 

•  Encounters  in  which  neither  TA  nor  RA  is  received.  This 

failure  is  primarily  caused  by  lack  of  Mode  C  equipage 
levels,  and  is  the  principal  failure  mode  for  TCAS. 
(Probability:  .41) 

•  Bright  daylight  encounters  in  which  a  TA  is  received,  visual 
acquisition  does  not  occur  and  an  inadequate  RA  is 
generated.  (Probability:  .0008) 

•  Encounters  in  which  a  TA  is  received,  visual  acquisition  is 
not  possible,  and  an  inadequate  RA  is  received. 

(Probability:  .002) 

•  Encounters  in  which  a  TA  is  not  received  prior  to  the  RA,  an 

RA  is  generated,  but  it  is  inadequate  to  avoid  the  NMAC. 
(Probability:  .0004) 

In  addition,  there  are  failure  modes  which  relate  to  the 
human-factors  variables  as  follows: 

•  Bright  daylight  encounters  in  which  a  TA  is  received  and 
visual  acquisition  does  occur  before  the  RA,  but  the  pilot 
fails  to  avoid  the  critical  NMAC  with  probability  VNA  + 

TNA.  (Probability:  .259(VNA  +  TNA) ) 


•  Bright  daylight  encounters  in  which  a  TA  is  received  and 
visual  acquisition  does  not  occur,  an  RA  is  generated,  but 
the  pilot  fails  to  follow  the  RA  with  probability  RNF. 
(Probability:  .138  RNF) 

•  Bright  daylight  encounters  in  which  a  TA  is  received,  visual 
acquisition  occurs  but  not  before  the  RA  is  issued.  An 
inadequate  RA  is  issued,  and  the  pilot  acquires  the  threat, 
but  does  not  determine  the  RA  to  be  inadequate  with 
probability  VMIR.  (Probability:  .0008  VMIR) 

•  Encounters  in  which  a  TA  is  received,  visual  acquisition  is 
not  possible,  and  the  pilot  does  not  follow  the  RA  with 
probability  RNF.  (Probability:  .169  RNF) 

•  Encounters  in  which  no  TA  is  received,  an  RA  is  received  but 
is  not  followed  with  probability  RNF.  (Probability:  .020 
RNF) 

The  total  failure  rate  is  thus  .413  +  .259  (VNA  +  TNA)  +  .327  (RNF) 

+  .0008  (VMIR). 

Induced  NMAC  (The  500  Branch) 

The  failure  scenarios  for  this  event  (called  event  2-500),  where 

TCAS  might  induce  an  NMAC,  and  their  associated  probabilities  are: 

•  Encounters  in  which  visual  acquisition  occurs  but  the  pilot 
does  not  see  that  the  RA  is  incorrect  with  probability 
VMIR.  (Probability:  .014  VMIR) 
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•  Encounters  in  which  a  TA  is  received  and  visual  acquisition 
is  possible,  but  fails  to  occur.  (Probability  .0029) 

•  Encounters  in  which  a  TA  is  received,  but  visual  acquisition 
is  not  possible.  (Probability:  .0073) 

•  Encounters  in  which  a  TA  is  not  received.  (Probability: 
0.0008) 

•  Encounters  in  which  a  TA  is  received,  incorrectly  acted 
upon,  and  causes  an  NMAC  (Probability:  .59  TI) 

The  probability  of  event  2-500  is  thus  .011  +  .014  VMIR  +  .59  TI. 


Top  Event 


As  the  two  major  events  are  mutually  exclusive,  the  two 


probabilities  add  to  obtain  the  probability  of  a  critical  near 
midair  collision,  which  Is  .424  plus  a  residual  composed  of  human 


factors  failures,  as  seen  in  Figure  4. 


8.  Sensitivity  Analysis 

Sensitivity  of  five  basic  system  fault  probabilities  was  tested  in 
this  analysis:  Mode  C  equipage,  surveillance  failure,  altimetry 
error,  maneuvering  intruder  hazard,  and  human  factors.  To  test  the 
change  in  the  probability  of  events  2-000  and  2-500  (and  thus  the 
top  event)  corresponding  to  changes  in  failure  rates  of  these 
elements,  the  failure  rates  were  varied  between  bounds  judged 
appropriate  for  each  element  as  follows: 


FIGURE  4 

CALCULATION  OF  THE  PROBABILITY  OF  TOP  EVENT 


•  Equipage:  The  nominal  probability  for  an  encounter  with  a 
Mode  C  aircraft  is  .61.  To  test  the  effect  of  this  factor, 
the  calculations  were  also  run  assuming  all  aircraft  Mode  C 
equipped . 

•  Surveillance:  The  nominal  surveillance  track  probability  is 
.94  for  a  TA  and  .97  for  an  RA.  This  quantity  was  explored 
by  alternatively  improving  surveillance  by  a  factor  of  three 
and  degrading  it  by  a  factor  of  about  two  (e.g.,  probability 
of  receiving  RA  varied  from  .99  to  .94). 

•  Altimetry  error.  The  only  significant  component  is  tiu-t 
ascribed  to  general  aviation  aircraft  (uncorrected  static 
error).  Sensitivity  to  this  parameter  was  tested  both  by 
varying  the  standard  deviation  plus  and  minus  20  percent, 
and  by  changing  the  form  of  the  distribution  from  Gaussian 
to  exponential. 

•  Maneuvering  Intruder  Hazard:  The  overall  probability  of 
encountering  an  intruder  that  would  start  maneuvering  in 
such  a  manner  and  at  just  the  time  to  "fake  out"  the  TCAS 
and  cause  an  NMAC  was  estimated  from  airborne  data.  The 
sensitivity  to  this  factor  was  explored  by  changing  the 
maneuver  probability  by  50  percent,  both  higher  and  lower. 

•  Human  Factors.  In  the  nominal  case,  no  pilot  failure  modes 
were  accounted  for,  although  five  were  identified.  To  give 
some  indication  of  the  effect  of  these  failure  modes,  they 
were  permitted  to  fail  at  the  rate  of  1  in  20. 


Also,  three  basic  assumptions  were  made  in  the  nominal  estimate: 

TAs  were  not  given  on  aircraft  that  are  transponder  equipped,  but 
which  do  not  report  Mode  C;  visual  acquisition,  as  enhanced  by  the 
TCAS,  is  used  to  provide  separation,  and  RAs  are  followed  in 
instrument  meteorological  conditions  (IMC).  The  sensitivity 
analysis  tests  the  opposing  assumptions:  that  non-Mode  C  aircraft 
are  tracked,  that  enhanced  visual  acquisition  is  not  effective,  and 
that  RAs  are  not  followed  in  IMC. 

Failure  Probabilities 

The  resulting  changes  in  probability  for  events  2-000,  2-500  are 
graphed  in  Figure  5  on  a  logarithmic  scale.  The  lines  across  the 
bars  represent  the  nominal  probability  of  each  event.  It  should  be 
noted  that  a  change  in  probability  of  event  2-000  is  accompanied  by 
a  corresponding  change  in  the  probability  of  event  2-500  in  most 
cases.  For  example,  higher  Mode  C  equipage  results  in  much  lower 
probability  of  an  unresolved  NMAC  but  a  higher  probability  of  an 
induced  NMAC. 

Surveillance  failure  has  little  effect  on  the  probability  of  both 
unresolved  and  induced  NMACs.  Altimetry  error  and  maneuvering 
intruder  hazards  have  no  discernable  impact  on  unresolved  NMACs,  but 
induced  NMACs  are  sensitive  to  these  factors.  If,  instead  of  the 
Gaussian  error  model,  an  exponential  error  model  is  assumed  and  the 
failure  probabilities  are  calculated,  the  effect  is  similar  to  using 
the  Gaussian  mod  .1  with  about  a  15  percent  increase  in  nominal  error. 

If  TAs  were  to  be  provided  on  non-Mode  C  aircraft,  there  would  be  a 
significant  reduction  in  the  unresolved  NMACs  without  an  increase  in 
induced  NMACs. 
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Improved  visual  acquisition,  arising  from  the  presentation  of  TAs, 
has  little  effect  on  unresolved  NMACs.  This  is  due  to  the  fact  that 
since  only  Mode  C  aircraft  are  tracked,  there  is  high  probability  of 
getting  an  RA,  given  the  TA;  the  only  impact  of  visual  acquisition 
is  to  correct  inadequate  RAs,  which  are  infrequent.  For  induced 
NMACs,  the  benefit  of  improved  visual  acquisition  can  be  seen  by 
observing  that,  without  any  TAs  (visual  acquisition  ineffective), 
that  portion  of  the  failure  rate  approximately  doubles. 

By  not  following  RAs  in  IMC,  we  can  avert  a  substantial  number  of 
induced  NMACs  as  shown  by  the  bar  on  the  right  side  of  Figure  5; 
however,  this  also  increases  the  number  of  unresolved  NMACs. 

Human  Factors 

To  obtain  some  indication  of  the  effect  of  human  factors  failure 
modes,  a  failure  rate  of  .05  (1  failure  every  20  situations  in  which 
the  potential  for  failure  exists)  was  used.  The  individual  failures 
have  been  broken  down  into  their  five  components  (VNA,  TNA,  RNF, 
VMIR,  and  TI)  and  graphed  in  Figure  6,  using  the  same  scale  as 
Figure  5. 

It  can  be  seen  from  the  graph  that  human  factors  has  little  impact 
on  the  unresolved  component  of  the  failure  rate,  which  is  only 
slightly  sensitive  to  VNA  (intruder  was  visually  acquired  but  NMAC 
not  avoided),  TNA  (TA  misleads  the  pilot  into  disregarding  a  visual 
acquisition  or  correct  RA),  and  RNF  (RA  not  followed).  The 
unresolved  component  is  very  insensitive  to  VMIR  (Maneuver  on  an 
incorrect  RA  in  spite  of  visual  acquisition  Indications)  because  the 
opportunity  to  make  this  error  is  infrequent  (.08%  of  all  NMAC 
encounters).  TI  (use  of  the  Traffic  Advisory,  inducing  an  NMAC  ) 
does  not  apply  to  the  unresolved  component. 
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FIGURE  6 

INFLUENCE  OF  HUMAN  FACTORS  ON  OVERALL  SYSTEM  PERFORMANCE 
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As  for  the  induced  component,  it  can  be  seen  that  the  potential 
exists  for  a  significant  number  of  failures  by  use  of  the  Traffic 
Advisory  to  make  an  incorrect  maneuver  which  induces  an  NMAC.  It 
should  be  noted,  however,  that  this  may  be  an  over-estimate  for  the 
following  reasons: 

1.  Pilot  training  should  reduce  the  use  of  the  TA  for  purposes 
other  than  as  an  aid  to  visual  acquisition. 

2.  If  the  TA  is  used  for  maneuvering,  we  assumed  the  following 
conservative  conditions: 

a.  Visual  acquisition  is  not  attempted  or  is  not  possible 

b.  If  the  display  is  accurate,  the  pilot  must  interpret  it 
adversely  and  disregard  any  ensuing  RA  (actually,  a 
chain  of  concurrent  probabilities). 

As  can  be  seen  in  Figure  6,  the  induced  component  of  the  failure 
rate  is  not  sensitive  to  the  other  factors  (VMIR,  RNF,  TNA,  or  VNA). 

If  all  five  factors  were  to  fail  independently  at  the  rate  of  1  in 
20,  the  relative  probability  of  an  NMAC  would  be  48.4  percent,  with 
the  unresolved  component  being  44.2  percent  and  the  induced 
component  being  4.2  percent. 

9.  Findings 

The  basic  philosphy  is  to  make  the  assessment  realistic,  but 
conservative.  In  particular,  no  credit  was  assumed  for  the 
following: 


•  Visual  acquisition  in  less  than  .bright  daylight  conditions 

•  Some  situation  checking  features  in  the  logic  feature 

•  Aircraft  leveling  out  gradually  instead  of  abruptly 

•  The  Resolution  Advisory  preventing  an  incorrect  maneuver,  or 
correcting  one  that  may  have  been  prematurely  taken  on  a 
Traffic  Advisory 

The  data  and  analyses  brought  to  focus  in  this  study  disclose  the 
following  findings  relative  to  the  Risk  Ratio. 

1.  Under  a  nominal  set  of  baseline  conditions  this  ratio  is 
about  42  percent.  Figure  7  shows  this,  with  the  first  bar 
(100  percent)  as  the  pre-existing  risk  of  encountering  a 
NMAC  without  TCAS;  the  second  bar  (Risk  Ratio  is  42 
percent)  is  the  risk  of  encountering  an  NMAC  with  TCAS 
under  the  nominal  conditions.  Most  of  this  residue  is 
attributable  to  the  lack  of  complete  equipage  with  altitude 
reporting  transponders. 

If  the  capability  to  track  all  non-Mode  C  aircraft  and 
display  an  "altitude  unknown"  Traffic  Advisory  were  added 
to  the  nominal  system,  a  major  reduction  in  the  unresolved 
component  of  the  Risk  Ratio  would  be  obtained;  the  residue 
would  decrease  to  about  25  percent,  as  shown  in  the  third 
bar  of  Figure  7.  This  is  caused  by  the  improved  visual 
acquisition  that  would  result  for  those  aircraft  that  are 
on  a  near  collision  course. 
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FIGURE  7 

RELATIVE  TCAS  EFFECTS 


The  greatest  payoff,  however,  in  reducing  the  risk  of  NMACs 
would  be  to  increase  the  number  of  aircraft  having  altitude 
reporting  transponders.  Statistics  on  avionics  show  the 
trend  to  be  in  that  direction.  If  all  aircraft  were 
equipped  with  altituding  reporting  transponders,  the  Risk 
Ratio  would  decrease  to  5  percent  (the  fourth  bar  of  Figure 
7),  two  thirds  of  which  is  attributable  to  surveillance 
limitations;  the  remainder  is  attributable  to  maneuvering 
intruders  and  to  altimetry  error. 

Most  of  the  residue  under  nominal  conditions  is  caused  by 
an  inability  to  avoid  an  NMAC  that  would  have  occurred  even 
without  TCAS  (the  unresolved  component  of  Risk  Ratio). 

Under  certain  conditions,  however,  the  system  itself  can 
induce  an  NMAC  (the  induced  component  of  Risk  Ratio).  The 
risk  of  that  occurring  for  the  nominal  conditions  is  about 
one  percent  of  the  risk  encountering  an  NMAC  without  TCAS 
(shaded  parts  of  the  bars  in  Figure  7;  see  also  Table  3). 
The  primary  cause  for  these  failures  are  altimetry  errors 
and  sudden  maneuvers  by  the  intruder. 

If  the  standard  deviation  (Gaussian  distribution)  of 
general  aviation  altimetry  error  were  to  be  20  percent 
larger  than  estimated,  the  induced  component  of  Risk  Ratio 
would  increase  to  about  1.7  percent.  While  this  component 
is  small  relative  to  the  unresolved  component,  and  the 
overall  effect  on  Risk  Ratio  is  small,  the  minimization  of 
induced  NMACs  is  in  itself  a  major  TCAS  objective.  If  the 
assumed  error  distribution  were  characterized  by  the  heavy 
tailed  symmetrical-exponential  distribution  instead  of  the 
Gaussian,  the  nominal  induced  component  of  Risk  Ratio  would 


TABLE  3 

SENSITIVITY  TO  VARIOUS  FACTORS 


OVERALL  I  UNRESOLVED  I  INDUCED 


CONDITION 


Nominal 


Non-Mode  C  Traffic  Advisories 


100  Percent  Mode  C  Equipage 


20  Percent  Higher  GA 
Altimetry  Error 


Exponential  Altimetry  Error 
Model 


50  Percent  Increase  in 
Probability  of  Fake-Out  Maneuver 


Probability  of  Missed  Surveil¬ 
lance.  30  Percent  of  Nominal 


Aided  Visual  Acquisition  Not 
Effective 


TCAS  Not  Used  in  IMC 


Human  Factor  Failures:  One 
Per  20  Encounters 


RISK  RATIO 
(Percent) 


COMPONENT 

(Percent) 


COMPONENT 

(Percent) 
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be  1.5  percent  —  somewhat  larger  than  before  but  similar 
in  effect. 

The  contribution  of  altimetry  error  to  the  total  overall 
Risk  Ratio  is  dominated  by  the  GA  errors;  whe  hazard  caused 
by  air  carrier  errors  is  at  least  an  order  of  magnitude 
lower.  A  reduction  of  the  GA  altimetry  error  provides  more 
than  proportionate  reduction  in  the  induced  component  of 
the  Risk  Ratio. 

The  risk  of  two  air  carriers,  both  equipped  with  TCAS, 
having  an  NMAC  is  several  orders  of  magnitude  less  than 
without  TCAS;  altimetry  is  corrected,  maneuvers  are 
coordinated,  and  both  aircraft  have  surveillance. 

TCAS  is  susceptible  to  being  thwarted,  in  certain  cases,  by 
an  intruder  making  a  sudden  vertical  maneuver.  The 
situation  of  most  concern  is  one  in  which  an  intruder  with 
a  substantial  vertical  rate  approaches  a  level  TCAS 
aircraft  so  as  to  project  a  crossing  through  its  altitude. 

A  vertical  escape  initiated  by  the  TCAS  aircraft  could  be 
thwarted  ("faked  out")  if  the  intruder  were  suddenly  to 
level  off  at  a  critical  time  and  altitude.  The  study  used 
actual  aircraft  data  from  Piedmont  flights  and  from  FAA 
flights  to  estimate  the  contribution  of  this  factor  to 
overall  Risk  Ratio.  A  50  percent  increase  in  the 
probability  of  a  fakeout  maneuver  will  cause  a  nearly 
proportionate  increase  in  the  induced  component  (increases 
the  induced  component  of  Risk  Ratio  from  1.1  percent  to  1.4 
percent) . 


4.  The  nominal  performance  of  surveillance  quality  was 
estimated  from  live  track  data  in  many  regions  of 
airspace.  If  the  missed  track  rate  were  to  decrease  from 
its  nominal  rate  of  three  percent  to  one  percent,  a  small 
improvement  in  the  unresolved  component  of  Risk  Ratio  would 
be  obtained;  the  induced  component  is  essentially 
unaffected. 

5.  A  Traffic  Advisory  is  displayed  on  an  intruder 
approximately  15  seconds  before  the  Resolution  Advisory  is 
posted.  This  precursor  is  intended  to  alert  the  pilot  to 
start  a  visual  search  for  an  aircraft  that  may  be  of 
concern.  If  visual  acquisition  is  obtained,  an  incorrect 
Resolution  Advisory,  such  as  from  altimetry  error,  can  be 
overriden  by  the  pilot.  This  aided  acquisition  reduces  the 
induced  component  of  Risk  Ratio  by  more  than  half.  Very 
little  effect  occurs  for  the  unresolved  component,  as  a 
Resolution  Advisory  almost  always  occurs  if  a  Traffic 
Advisory  is  present. 

6.  If  TCAS  is  not  used  in  IMC,  which  constitutes  roughly  16 
percent  of  the  NMACs ,  the  unresolved  component  would 
correspondingly  Increase,  and  the  induced  component  would 
correspondingly  decrease. 

7.  The  probability  of  encountering  an  NMAC  in  today's 
environment,  in  the  absence  of  TCAS,  is  approximately  once 
in  100,000  hours  of  flight.  Four  quite  different 
approaches  to  obtaining  this  estimate  were  used,  and  they 
were  all  within  4:1  of  this  value. 


v.v 

v.v 


8.  Five  pilot  failure  modes  (human  factors)  were  postulated 
and  their  relative  impact  parametrically  assessed.  The 
most  severe  failure  postulated  (TI)  is  one  in  which  the 
pilot  used  the  Traffic  Advisory  for  maneuvering  rather  than 
for  visual  acquisition,  made  an  inappropriate  maneuver,  and 
disregarded  any  subsequent  Resolution  Advisory.  The  second 
most  severe  human  factor  failure  is  one  in  which  the 
Resolution  Advisory  is  simply  not  followed. 

If  all  five  human  factor  failures  were  to  fail  independently 
at  the  rate  of  1  in  20,  the  Risk  Ratio  would  be  about  48 
percent,  with  the  induced  component  accounting  for  4.2 
percent . 

10.  Conclusions  and  Recommendations 


Operational  Implications 

Operational  discipline  for  the  use  of  TCAS  will  vary  depending  on 
many  factors.  However,  it  was  found  that:  (1)  visual  acquisition, 
as  aided  by  the  Traffic  Advisory  display,  can  play  an  important  role 
both  in  improving  see-and-avoid  and  in  minimizing  the  effects  that 
would  Induce  critical  NMACs,  (2)  alertness  remains  necessary  in 
visual  conditions  both  to  protect  against  aircraft  not  equipped  with 
transponders  and,  to  a  much  lesser  extent,  to  protect  against 
equipped  aircraft  which  may  be  missed  by  TCAS  surveillance. 


If  TCAS  is  not  used  in  IMC,  the  induced  component  of  NMACs  would 
decrease;  however,  the  larger  benefit  of  being  able  to  resolve  NMACs 
in  IMC  would  also  decrease. 


Training  Implications 

During  the  course  of  this  System  Safety  study,  several  factors  that 
should  be  addressed  in  a  training  and  proficiency  program  became 
apparent . 

1.  Traffic  Advisories  are  intended  to  aid  visual  acquisition 
and  to  prepare  the  pilot  should  a  Resolution  Advisory 
follow.  Premature  maneuvering  based  on  the  Traffic 
Advisory  alone  could  be  self  defeating. 

2.  Prompt  reaction  when  a  Resolution  Advisory  is  posted  is 
important.  In  order  to  be  able  to  maneuver  through  the 
uncertainties  of  altimetry  error,  a  displacement  on  the 
order  of  400-500  ft  may  be  necessary  (larger  at  high 
altitudes).  A  delayed  reaction  will  reduce  the 
displacement  achievable  in  the  available  time. 

3.  From  the  results  of  the  study  it  appears  that  the  pilot  is 
statistically  better  off  by  trusting  his  instrument  than  by 
not  trusting  it — the  ratio  of  resolving  NMACs  to  inducing 
them  is  23:1.  If,  in  addition.  Traffic  Advisories  are  used 
to  aid  visual  acquisition,  this  ratio  increases  to  58:1. 


Equipment  Reliability  Implications 

The  type  of  equipment  failure  of  concern  for  this  study  is  one  which 

could  cause  an  NMAC.  If  one  occurs  which  does  not  cause  the 

performance  monitor  to  immediately  turn  off  TCAS,  it  should  be  at 
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the  rate  of  10  ,  or  less,  per  NMAC  to  be  negligible  relative  to 

other  causes.  The  performance  monitor  therefore  needs  to  be 
effective  in  i  meeting  critical  sources  of  failure  in  the  elements 
of  the  TCAS  system. 


Program  Implications 

The  System  Safety  study  highlighted  several  recommended  areas  that 
the  TCAS  Program  might  emphasize  in  the  future. 

1.  Steps  should  be  initiated  to  confirm  applications  of  TCAS 
in  IMC.  A  determination  of  the  detailed  nature  of 
altimetry  and  of  maneuvering  intruders  under  poor 
visibility  conditions  should  be  obtained  and  methods 
explored  for  controlling  them. 

2.  Identify  steps  that  might  be  undertaken  to  remove 
out-of-tolerance  altimeters  from  the  system. 

3.  Develop  pilot  training  measures  to  specifically  treat 
human -factor  failure  modes  that  have  been  identified. 
Consider  means  to  verify  the  effectiveness  of  such  steps. 

Changes  Required 

This  study  resulted  in  an  intensive  evaluation  of  all  safety-related 
parameters  and  procedures.  It  was  concluded  that  an  increase  of  the 
ALIM  parameter  at  low  altitudes  appears  desirable.  This  would 
decrease  the  effects  of  altimetry  error  and  would  not  affect  the 
alarm  rate  significantly. 


1.  INTRODUCTION 


1.1  Purpose  of  the  Study 

The  aircraft  Traffic  Alert  and  Collision  Avoidance  System 
(TCAS),  which  provides  vertical-plane  resolution  advisories,  is 
designated  minimum  TCAS  II.  TCAS  (Reference  1),  developed  in 
response  to  a  widely  perceived  need  to  provide  the  pilot  with 
an  independent,  back-up  collision  avoidance  system,  is  in  the 
final  phase  of  its  development  and  operational  evaluation  in  a 
commercial  air  carrier. 

Because  TCAS  is  intended  to  provide  emergency  information  to 
the  pilot  in  time  to  avert  an  impending  collision,  a 
quantitative  evaluation  of  its  performance,  advantages  and 
limitations  with  respect  to  the  improvement  of  aviation  safety 
is  essential;  the  TCAS  System  Safety  study  was  performed  to 
satisfy  this  need.  U.S.  airspace  already  has  many  levels  of 
"separation  assurance"  built  into  the  Air  Traffic  Control  (ATC) 
system — "see-and-avoid"  procedures,  flight  plan  clearance,  ATC 
surveillance,  Conflict  Alert  at  the  ATC  facility,  and  an 
impressive  array  of  redundant  systems  and  fail-back 
procedures.  The  TCAS  equipment  and  procedures  must  be 
compatible  with  this  environment. 

The  airspace  environment  introduces  three  major  limitations  to 
TCAS  effectiveness  that  must  be  assessed: 

•  The  effect  of  using  TCAS  in  an  environment  where  some 
aircraft  do  not  have  ATC  transponders. 

•  The  effect  of  instrumentation  and  calibration  errors  in 
altimetry  measurement  and  reporting. 
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•  The  effect  of  an  Intruder  making  sudden  maneuvers, 
especially  ones  which  would  thwart  a  TCAS  Resolution 
Advisory. 

Each  of  these  not  only  can  render  the  ”CAS  ineffective,  but  of 
more  concern,  they  can  cause  TCAS  to  make  the  situation  worse 
than  before.  In  addition  to  these  limitations  there  are  the 
more  conventional  failure  mechansisms :  avionics  failures , 
software  failures,  misinterpretation  of  displays,  failure  to 
respond,  etc.  It  is  necessary  to  quantitatively  assess  the 
magnitude  of  each  factor,  uncover  interrelationships  among 
system  elements,  and  make  those  recommendations  which  will 
minimize  the  effects  of  any  safety  related  faults. 

1.2  Methodology 


1.2.1  Study  Approach 

A  System  Safety  study  is  an  overall  assessment  of  the 
interrelation  of  all  factors  pertinent  to  system  performance — 
TCAS  avionics,  the  pilot,  the  other  aircraft,  and  the  ATC 
system.  Performance  of  the  System  Safety  study  required  the 
development  of  analytical  techniques  and  simulation  modeling, 
plus  the  analysis  of  flight  test  data  and  historical  data,  to 
provide  a  sound  technical  basis  for  the  study.  The  study  uses 
the  "fault  tree"  technique  to  structure  a  "top  down"  analytical 
approach  (Reference  2).  This  begins  with  the  undesired  event 
(a  near  midair  collision)  at  the  top  of  the  logical  tree  and 
systematically  branches  down  to  the  root  causes  (faults)  of  the 
undesired  top  event.  The  approach  was  channelled  into  three 
major  areas: 


a.  Definition  Systematic  description,  using  fault 

tree  techniques,  of  all  possible 
ways  in  which  failure  could  occur. 

b.  Qualification  Analysis  of  the  TCAS  fault  tree  to 

determine  which  failure  modes  are 
most  Important  and  which  are  less 
likely  or  unlikely  to  occur. 

c.  Quantification  An  analysis  of  the  predominate 

failure  mechanisms  is  conducted  to 
determine  their  probability  of 
occurrence.  The  computation  of 
overall  system  risk  follows 
directly. 

In  addition,  the  active  participation  of  the  aviation  community 
was  seen  to  be  a  necessary  means  to  assure  that  all  Important 
aspects  of  System  Safety  were  addressed.  The  following 
approach  was  taken  in  the  course  of  the  study  to  coordinate 
these  elements: 

•  A  study  team  was  formed  among  personnel  from  the  FAA, 
MITRE,  and  M.I.T.  Lincoln  Laboratory.  This  team 
developed  the  analysis  and  data  reduction  required  to 
perform  the  System  Safety  study,  and  provided  periodic 
progress  briefings. 

•  Members  of  the  aviation  community,  together  with  FAA 
and  DoD  representatives  (Appendix  A),  were  invited  to 
participate  in  the  review  of  the  briefings.  Five 


progress  briefings  were  held  during  the  course  of  the 
study. 


The  TCAS  System  Safety  study  would  not  have  achieved  the 
results  presented  in  this  report  without  this  in-process 
review,  particularly  of  the  private  sector  reviewers  who  were 
more  than  generous  in  their  contributions  of  time  and  effort. 

By  their  questions  and  comments  during  the  course  of  the  study, 
these  individuals  and  the  organizations  they  represented  helped 
assure  that  the  study  focused  on  the  critical  issues  and  that 
important  issues  were  not  overlooked. 

1.2.2  Study  Assumptions  and  Limitations 

The  TCAS  System  Safety  study  has  been  structured  broadly  enough 
to  be  applicable  for  analysis  of  the  minimum  TCAS  II  system  in 
all  traffic  situations  and  environmental  conditions  that  are 
expected  in  normal  flight.  Whenever  possible,  the  parameters 
used  in  the  study  were  derived  from  TCAS  test  flight  data.  In 
particular,  the  vertical  rates,  altitude  separation,  slant 
ranges  and  advisory  rates  used  to  describe  the  airspace  are 
derived  from  flight  test  data,  with  particular  emphasis  on  the 
Phase  I  Operational  Evaluation  tests  conducted  with  Piedmont 
Airlines  (normal  air  carrier  operation  on  an  IFR  flight  plan). 

A  TCAS  installation  for  VFR  operation,  such  as  onboard  general 
aviation  aircraft,  might  be  quite  different  and  is  not  treated 
here. 

In  the  analysis  of  the  effects  of  the  system  errors,  the 
parametric  effect  of  failure  rates  and  error  magnitudes  is 
given  for  all  major  error  sources.  Altimetry  error  is  assumed 
to  follow  a  Gaussian  distribution,  and  the  magnitude  of  this 


error  for  particular  classes  of  aircraft  is  derived  from  the 
available  data.  These  assumptions  are  tested  to  determine  the 
sensitivity  of  their  effects  on  the  results.  Indeed,  the  basic 
analysis  used  conservative  assumptions  and  subsequently  tested 
these  assumptions  so  that  the  underlying  effects  could  be  made 
apparent. 

Failure  mechanisms  related  to  human  factors  are  also  defined. 
These  pilot-related  failures  are  difficult  to  assess  since  no 
appropriate  data  base  exists  at  present.  Accordingly,  these 
factors  are  defined  as  variable  terms  in  the  analysis  of  the 
fault  tree,  and  their  effects  are  noted  parametrically,  and 
compared  with  the  effects  of  other  failure  mechanisms. 

The  analysis  performed  in  this  study  includes  all  the 
underlying  ATC  processes  as  they  exist  at  present;  however,  it 
does  not  account  for  any  interaction  between  the  TCAS  flight 
crew  and  the  ATC  system  during  the  period  of  the  TCAS  alert. 
Such  interaction,  for  example,  could  involve  calling  ATC  for 
advice  when  a  Traffic  Advisory  is  received. 

1.2.3  Criteria 

The  principal  criterion  for  performance  is  simply  the 
probability  of  encountering  the  top-level  undesired  event — a 
near  midair  collision.  The  choice  of  a  near  midair  collision 
(NMAC)  rather  than  simply  a  midair  collision  is  made  both  to 
introduce  an  element  of  conservatism  and  to  be  able  to  utilize 
a  substantial  data  base  for  the  calculations.  The  FAA  defines 
three  classes  of  NMAC  in  Reference  3,  which  is  quoted  as 
follows : 


1.  Critical:  a  situation  where  collision  avoidance  was 


due  to  chance  rather  than  an  act  on  the  part  of  the 
pilot.  Less  than  100  ft  of  aircraft  separation  would 
be  considered  critical. 

2.  Potential:  an  incident  which  would  probably  have 
resulted  in  a  collision  if  no  action  had  been  taken  by 
either  pilot.  Closest  proximity  of  less  than  500  feet 
would  usually  be  required  in  this  case. 

3.  No  Hazard:  when  direction  and  altitude  would  have  a 
midair  collision  improbable  regardless  of  evasive 
action  taken." 

For  this  study,  we  will  use  the  definition  of  critical  NMAC  to 
quantify  our  results.  Thus,  an  NMAC  is  one  in  which  the 
aircraft  pass  within  100  ft  vertically  and  close  horizontally 
(approximately  500  ft). 

Basically  we  are  interested  in  evaluating  the  question,  "Is  one 
better  off  with  TCAS  than  without  it?"  The  measure  of  this 
question  is  determined  by  evaluating  the  risk  of  encountering 
an  NMAC  with  TCAS,  and  dividing  that  by  the  risk  of 
encountering  an  NMAC  without  TCAS.  This  quantity  is  defined  as 
the  "Risk  Ratio".  Later  sections  of  this  report  will  evaluate 
Risk  Ratios  of  individual  fault  mechanisms  and  combine  them 
appropriately  to  obtain  the  overall  Risk  Ratio.  Fortunately, 
it  was  found  to  be  possible  to  compute  the  Risk  Ratio  directly 
and  so  to  be  able  to  evaluate  the  net  Impact  of  TCAS  on  the 
safety  of  flight,  without  being  too  concerned  about  determining 
the  precise  current  level  of  risk  in  the  absence  of  TCAS. 

1.3  Structure  of  the  Report 

Section  2  of  this  report  provides  a  brief  overview  of  TCAS, 
pertinent  considerations  in  its  design,  operating 
characteristics,  and  displays.  Section  3  describes  the 
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pertinent  information,  abstracted  from  several  data  sources, 
upon  which  the  analyses  in  Section  4  and  5  are  based.  Section 
6  evaluates  the  role  of  visual  acquisition  (see-and-avoid) . 
These  elements  are  all  brought  together  in  the  fault  tree  of 
Section  7.  Section  8  assesses  the  sensitivity  of  the 
evaluation  to  variations  in  the  component  factors.  The  key 
findings  of  the  study  are  presented  in  Section  9,  followed  by 
the  conclusions  and  recommendations  in  Section  10. 
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BRIEF  OVERVIEW  OF  TCAS 

The  subject  of  this  safety  study  is  the  minimum  TCAS  II  system 
described  in  the  Minimum  Operational  Performance  Standard  of 
the  Radio  Technical  Commission  for  Aeronautics  (RTCA), 
including  the  functions  of  high  density  operation,  bearing 
estimation,  and  display  of  Traffic  Advisories.  This  section 
gives  a  brief  summary;  considerable  detail  will  be  found  in 
Reference  1. 

2.1  The  TCAS  Concept 

The  TCAS  concept  provides  a  family  of  airborne  collision 
avoidance  services  based  upon  the  processing  of  ATC  transponder 
replies  from  proximate  aircraft.  TCAS  provides  airborne 
collision  avoidance  services  without  the  need  for  ground 
equipment.  TCAS  capabilities  range  from  a  minimal  warning 
system,  designated  as  TCAS  I,  to  a  full  capability  traffic 
advisory  and  resolution  advisory  system,  designated  as  TCAS 
II.  TCAS  II  is  capable  of  operating  In  high  density  terminal 
areas.  The  minimum  TCAS  II  provides  for  maneuvers  only  in  the 
vertical  plane;  enhanced  TCAS  II  is  expected  to  provide  for 
maneuvers  in  the  horizontal  plane  as  well  as  the  vertical  plane. 

TCAS  equipment  will  generate  Traffic  Advisories  and  Resolution 
Advisories  when  in  conflict  with  other  TCAS  aircraft,  as  well 
as  with  other  intruders  equipped  either  with  today's 
conventional  transponder  or  with  a  Mode  S  transponder. 

2.2  Minimum  TCAS  II  Overview 

The  minimum  TCAS  II  uses  active  interrogation  of  ATC 
transponders  to  track  nearby  aircraft  in  slant  range  and 
relative  altitude;  It  uses  these  to  assess  the  collision  threat 


potential  and  to  generate  appropriate  collision  avoidance 
advisories. 

The  minimum  TCAS  II  is  designed  to  have  a  nominal  surveillance 
range  of  14  nautical  miles  over  which  it  tracks  transponder 
equipped  aircraft  in  range  and  altitude.  An  on-board  direction 
finding  antenna  is  used  to  measure  intruder  bearing. 
Transponders  are  interrogated  in  discrete  address  Mode  S  or 
Mode  C-Only  All  Call  signal  formats  approximately  once  every 
second.  The  low  duty  cycle,  directional  interrogation  and  an 
automatic  interference  limiting  capability  prevent  any 
operationally  significant  impact  on  the  ground  ATC  surveillance 
system. 

TCAS  II  provides  the  pilot  with  Traffic  Advisories  and  with 
Resolution  Advisories.  In  collision  encounters,  the  system 
design  assures  that  the  Traffic  Advisory  normally  occurs 
approximately  15  seconds  before  the  Resolution  Advisory.  The 
Traffic  Advisory  can  be  presented  on  a  weather  radar  CRT 
display  in  a  graphical  format  which  provides  the  range, 
bearing,  and  relative  altitude  of  the  potential  threat. 

As  an  option,  non-Mode  C  aircraft  may  also  be  tracked.  If  an 
intruding  aircraft  is  not  reporting  altitude  through  its 
transponder,  it  is  not  possible  to  determine  if  the  aircraft  is 
a  potential  collision  threat.  Therefore,  for  intruders  not 
equipped  with  altitude  reporting  transponders,  TCAS  II  may 
generate  Traffic  Advisories  but  will  not  generate  Resolution 
Advisories.  However,  If  the  aircraft  were  on  near  collision 
course,  such  Traffic  Advisories  would  enhance  visual 
acquisition. 


An  aircraft  is  declared  to  be  a  collision  threat  to  the  TCAS  II 
aircraft  if  either  its  current  position,  or  its  projected 
position,  simultaneously  violate  range  and  relative  altitude 
criteria.  Generally,  an  aircraft  will  be  declared  to  be  a 
collision  threat  20-30  seconds  before  closest  approach,  at 
which  time  a  Resolution  Advisory  is  displayed.  This  provides 
time  for  an  escape  maneuver  by  the  pilot. 

The  Resolution  Advisory  is  chosen  to  provide  a  specific  margin 
of  separation  with  a  minimum  change  in  the  existing  flight  path 
of  the  TCAS  II  aircraft.  The  minimum  TCAS  II  utilizes 
maneuvers  in  the  vertical  plane  only.  The  Resolution 
Advisories  can  be  displayed  on  a  modified  instantaneous 
vertical  speed  indicator.  Positive  advisories  can  be  indicated 
by  lighted  arrows,  and  negative  and  speed  limit  advisories  can 
be  indicated  by  lighted  curved  bars  which  define  the  regions  of 
vertical  speeds  that  are  to  be  avoided. 

Before  the  Resolution  Advisory  is  selected,  a  coordination 
exchange  is  made  with  the  threat  aircraft  if  it  also  is  TCAS  II 
equipped.  Coordination  ensures  that  complementary  Resolution 
Advisories  will  be  displayed  and  that  both  TCAS  II  maneuvers 
will  increase  separation  between  the  aircraft.  For  example,  oi.t 
aircraft  would  have  a  climb  advisory,  the  other  a  descend 
advisory.  The  escape  maneuvers  are  designed  so  that  sufficient 
separation  is  generated  if  only  one  of  the  aircraft  follows  the 
advisory. 

If  the  threat  aircraft  is  equipped  with  the  TCAS  I  system,  a 
crosslink  Traffic  Advisory  message  is  sent  providing  TCAS  I 
with  the  relative  position  of  the  TCAS  II  aircraft  as  seen  by 
TCAS  I.  This  message  is  transmitted  when  TCAS  II  displays  its 


Resolution  Advisory,  and  is  continuously  updated  throughout  the 
encounter. 


TCAS  II  threat  detection  and  resolution  logic  thresholds  are 
chosen  to  assure  adequate  separation  and  an  acceptable  alarm 
rate  under  various  conditions  of  flight.  This  function  is 
called  sensitivity  level  control.  The  sensitivity  level  of  the 
TCAS  II  logic  is  described  by  a  single  parameter  that  ranges 
from  1  to  7.  Higher  sensitivity  level  values  provide  more 
warning  time  for  collision  avoidance  by  effectively 
establishing  a  larger  protection  volume  around  the  TCAS  II 
equipped  aircraft.  In  areas  of  high  traffic  densities,  large 
protection  volumes  can  lead  to  high  alarm  rates.  Therefore, 
lower  sensitivity  level  values  are  used  in  high  density  areas 
to  reduce  the  protection  volume  and  the  alarm  rate.  Values  of 
sensitivity  level  can  be  selected  by  a  number  of  means;  such  as 
by  pilot  control,  by  automatic  control  based  on  TCAS  aircraft 
barometric  and  radar  altitude,  and  by  data  link  command  from 
Mode  S  ground  stations. 


2.3  Collision  Avoidance  Algorithms 


TCAS  II  performs  its  aircraft  separation  assurance  function  by 
displaying  Traffic  Advisories  to  the  pilot  for  potential 
collision  threats,  and  Resolution  Advisories  for  maneuvers  to 
increase  separation.  The  TCAS  II  Collision  Avoidance 
Algorithms  use  the  tracks  formed  by  the  TCAS  II  surveillance 
function  to  make  this  determination.  The  principal  functions 
of  the  TCAS  II  collision  avoidance  algorithms  are  threat 
detection,  resolution,  and  communication  and  coordination. 


All  airborne,  altitude-reporting  aircraft  that  are  tracked  by 
TCAS  II  are  considered  intruders.  TCAS  II  evaluates  each 


intruder  through  a  prescribed  sequence  of  tests  to  declare  the 
intruder  a  threat  or  a  non-threat.  The  characteristics  of  an 
intruder  that  are  examined  to  determine  if  it  is  a  threat  are 
its  altitude,  altitude  rate,  range  and  range  rate. 

TCAS  11  generates  Resolution  Advisories  for  all  intruders 
declared  threats.  Each  threat  is  processed  individually  for 
selection  of  the  appropriate  Resolution  Advisory  based  on  track 
data  and  coordination  with  other  TCAS  II  equipped  aircraft. 
Coordination  communications  involve  the  air-to-air  transmission 
of  maneuver  selections  to  assure  the  display  of  compatible 
Resolution  Advisories. 

2.3.1  Threat  Detection 

TCAS  measures  range  to  the  tracked  aircraft,  and  receives  the 
altitude  of  the  tracked  aircraft  in  the  transponder  reply. 
Filtering  algorithms  derive  range  rate  and  altitude  rate  from 
the  sequence  of  replies.  Each  aircraft  track  is  tested  once 
per  second  to  determine  whether  the  collision  threat  criteria 
are  passed. 

To  be  considered  a  collision  threat,  the  tracked  aircraft  must 
be  threatening  (i.e.  converging  or  already  very  close)  in  both 
range  and  altitude.  The  convergence  test  accounts  for  a  wide 
spread  of  speeds  by  testing  the  time  remaining  until  closest 
approach,  determined  by  dividing  range  by  range  rate,  and  by 
testing  a  similar  ratio  for  altitude.  The  altitude  test  is 
augmented  by  a  projection  of  the  vertical  miss  distance 
expected  at  the  time  of  closest  approach,  so  that  an 
unnecessary  alarm  is  avoided  if  the  two  aircraft  are  diverging 
vertically. 
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Traffic  Advisories  are  determined  using  similar  tests,  but  with 
a  larger  protected  volume.  This  is  achieved  by  using  larger 
threshold  values  for  altitude,  range,  and  time  to  closest 
approach.  For  a  potential  collision  encounter,  a  Traffic 
Advisory  is  displayed  approximately  15  seconds  before  the 
Resolution  Advisory  is  displayed.  The  intent  of  the  Traffic 
Advisory  is  to  alert  the  pilot  to  start  a  visual  search  for  the 
intruding  aircraft. 

2.3.2  Resolution  Advisor 


When  a  tracked  aircraft  is  first  declared  a  threat,  TCAS 
selects  its  sense  (upward  or  downward)  for  intended 
resolution.  This  is  determined  by  predicting  the  result  of 
potential  "Climb"  and  "Descend”  escape  maneuvers.  The  threat 
is  projected  to  continue  its  current  vertical  rate,  and  the 
sense  giving  larger  vertical  separation  at  the  closest  point  of 
approach  is  selected.  The  modeled  escape  maneuvers  assume  an 
escape  rate  of  1500  feet  per  minute,  unless  the  TCAS  aircraft 
already  has  a  greater  vertical  rate  in  the  direction  of  escape 
being  considered.  In  that  case,  the  existing  vertical  rate  is 
used  for  the  prediction. 

In  a  conflict  involving  two  TCAS  aircraft,  the  first  to  detect 
the  conflict  selects  a  resolution  sense  as  described  above,  and 
sends  notice  of  its  choice  to  the  other  aircraft  using  the 
air-to-air  link.  The  other  TCAS  then  selects  the  complementary 
sense,  ensuring  a  compatible  escape.  A  protocol  that  tests  the 
discrete  addresses  of  the  aircraft  transponders  is  used  to 
resolve  encounters  in  which  both  TCAS  units  simultaneously 


attempt  sense  selection. 


After  the  sense  (upward  or  downward)  of  a  resolution  advisory 
has  been  selected,  TCAS  determines  which  of  its  advisories  (see 
below)  will  provide  adequate  vertical  separation  (the  value  of 
the  parameter  ALIM)  with  minimum  change  of  flight  path. 


Upward  Sense 


Downward  Sense 


Climb 

Do  not  descend 
Do  not  descend  faster  than 
500  fpm 

Do  not  descend  faster  than 
1000  fpm 

Do  not  descend  faster  than 
2000  fpm 


Descend 
Do  not  climb 
Do  not  climb  faster 
than  500  fpm 
Do  not  climb  faster 
than  1000  fpm 
Do  not  climb  faster 
than  2000  fpm 


TCAS  reevaluates  its  Resolution  Advisory  once  per  second.  The 
strength  of  the  advisory  may  change  as  the  encounter 
progresses.  TCAS  minimizes  such  transitions,  with  its  primary 
consideration  being  adequate  vertical  separation,  and  its 
secondary  consideration  being  the  disruptive  effects  of 
Resolution  Advisory  transitions  and  excessive  escape 
maneuvers.  When  the  collision  threat  criteria  are  no  longer 
satisfied,  TCAS  removes  its  Resolution  Advisory. 
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CHARACTERIZATION  OF  TCAS  ENVIRONMENT 

Obviously,  the  operational  performance  of  TCAS  depends  on  the 
airspace  in  which  it  is  used.  In  en  route  positive  control 
airspace,  the  performance  can  be  expected  to  be  quite  different 
from  uncontrolled  airspace  near  a  terminal  having  a  high  degree 
of  VFR  traffic.  For  this  study,  the  TCAS  will  be  evaluated  for 
an  air  carrier  aircraft  operating  its  normal  routes  on  an  IFR 
flight  plan.  It  is  typified  by  the  routes,  airspace,  and 
traffic  encountered  by  flights  conducted  by  Piedmont  Airlines  as 
they  carried  the  TCAS  equipment  for  four  months  in  the  Fall  of 
1981  and  Winter  of  1982. 

To  characterize  the  environment,  the  following  sources  of  data 
were  used: 

•  Incident  reports  on  Near  Midair  Collisions  (NMAC) 
collected  by  the  FAA 

•  TCAS  data  recorded  on  the  Piedmont  Phase  I  flights 
every  time  a  Traffic  Advisory  or  Resolution  Advisory 
occurred 

•  TCAS  operations  as  recorded  on  the  FAA  B727  aircraft 
in  flights  at  Atlantic  City,  Washington,  and  Chicago 

•  Information  and  data  on  altimetry  errors 

The  following  subsections  will  discuss  these  sources  of  data  and 
the  inferences  to  be  drawn  from  them. 

3.1  Incident  Reports  on  Near  Midair  Collisions  (NMAC) 

The  FAA  Office  of  Aviation  Safety  (ASF-200)  collects  and 
maintains  reports  of  near  midair  collisions  as  well  as  of  actual 


collisions  (Reference  3).  The  value  of  the  NMAC  incident 
reports  for  a  study  such  as  this  is  that  there  are  many  more  of 
these  incidents  than  there  are  of  collisions.  This  provides  a 
small  but  sufficient  sample  for  characterizing  the  TCAS 
environment.  The  FAA's  coded  data  base  goes  back  to  1973.  In 
1981  a  new  format  was  instituted.  As  a  result,  a  data  set  was 
established  for  the  years  1973-1980,  and  will  be  used  for  most 
of  this  analysis. 

The  NMAC  data  base  provides  information  on  the  following  items: 

•  The  altitude  distribution  of  these  encounters 

•  The  visibility  conditions  under  which  they  occurred 

•  The  operator  of  the  other  aircraft  (at  least  one  of 
the  aircraft  will  be  air  carrier  IFR) 

•  The  fraction  of  transponder  and  Mode  C  equipage  in  the 
encounters 

•  The  risk  of  encountering  an  NMAC 

3.1.1  Altitude  Distribution 

The  NMACs  for  air  carrier  aircraft  flying  on  IFR  flight  plans 
occurred  at  various  altitudes.  Figure  3-1  shows  the  frequency 
of  occurrence  with  altitude  for  the  105  of  those  incidents  in 
the  8-year  data  base.  While  some  of  these  occurred  at  high 
altitudes,  36,000  ft  being  the  highest,  most  (71  percent) 
occurred  below  10,000  ft.  This  suggests  the  conclusion  that 
flight  in  the  terminal  area  is  the  phase  of  most  concern. 


FIGURE  3-1 

ALTITUDE  DISTRIBUTION  OF  NMACS 


3.1.2  Visibility  Conditions 

The  visibility  under  which  the  105  air  carrier  IFR  NMACs 
occurred  is  listed  in  Table  3-1. 


TABLE  3-1 

VISIBILITY  CONDITIONS 


VISIBILITY 


FREQUENCY 


Less  than  5  ml 
Greater  than  5  mi 
Unknown 
Total 


14  (6  less  than  1  mi) 
86  (40  unlimited) 

JL 

105 


High  visibility  dominated — a  fact  that  is  well  known.  To 
obtain  a  rough  estimate  of  the  relevance  of  Instrument 
Meteorological  Conditions  (IMC)  to  NMACs,  we  observe  that  14 
incidents  were  reported  to  have  occurred  with  visibility  less 
than  5  miles,  while  86  had  visibility  greater  than  5  miles. 

IMC  is  usually  declared  for  visibility  less  than  3  miles  (5 
miles  above  10,000  ft  MSL),  but  these  thresholds  are  not  broken 
out  in  the  NMAC  reports.  One  can  then  say  that  less  than  1/6 
of  the  NM4Cs  were  in  IMC. 

Of  greater  interest  is  the  fact  that  70  percent  of  these 
encounters  occurred  in  bright  daylight,  and  that  of  these,  93 
percent  were  first  sighted  when  they  were  less  than  1/2  mile 
away.  From  this  one  can  infer  that  if  TCAS  could  provide  an 
aid  to  visual  acquisition,  such  an  aid  could  be  highly 
valuable.  Section  6  will  provide  a  quantitative  background  for 
estimating  the  value  of  such  a  feature,  and  Section  7  will 
combine  all  the  factors  into  the  fault  tree. 


3.1.3  Operator  of  Other  Aircraft 

The  other  aircraft  in  the  NMAC  data  were  classified  as  to  their 
type  of  operator:  9  percent  air  carrier,  12  percent  military, 

71  percent  general  aviation,  and  8  percent  “other"  or  unknown. 

3.1.4  Fraction  of  Transponder  Equipage 

The  NMAC  data  base  for  the  years  1973-1980  does  not  provide  a 
direct  answer  to  the  question  of  transponder  equipage  of 
general  aviation  aircraft,  which  is  of  great  importance  to  the 
collision  avoidance  system  (as  well  as  to  ATC  automa¬ 
tion).  However,  the  new  format  introduced  in  1981  includes 
this  information,  so  the  data  for  the  years  1981-1982  will  be 
used  here,  both  "critical"  and  "potential”  NMAC  data  in  order 
to  augment  the  sample  size.  There  were  146  of  these  incidents 
in  which  at  least  one  of  the  aircraft  was  an  air  carrier  on  an 

IFR  flight  plan.  Although  these  reports  designate  whether  an  1 

aircraft  is  transponder  equipped,  they  say  nothing  about  Mode 

C.  However,  one  can  look  at  the  type  of  aircraft  encountered  \ 

when  the  NMAC  occurred  and  draw  some  inferences  about  the  level 
of  Mode  C  equipage.  Of  146  incidents,  75  percent  were  against 

general  aviation  aircraft.  j 

Using  the  1981-1982  NMAC  data,  the  type  of  GA  aircraft  involved  j 

in  an  encounter  with  an  air  carrier  IFR  aircraft  was  obtained,  j 

as  well  as  whether  the  GA  aircraft  carried  a  transponder.  S 

Table  3-2  shows  this  information.  It  is  seen  that  90  percent  ^ 

i 

of  the  GA  aircraft  involved  in  these  incidents  carried  '< 

transponders.  ( 


As  both  a  reasonableness  check  of  this  data  and  as  a  way  to 
estimate  Mode  C  equipage,  the  1981  General  Aviation  avionics 
survey  (Reference  5)  was  consulted.  Table  3-3  presents  the 
pertinent  data.  The  levels  of  transponder  equioage  for  all  but 
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TABLE  3-2 

NMAC  INCIDENTS  WITH  GA  AIRCRAFT  (1981,  1982) 


AIRCRAFT  TYPE 


Single  Engine,  Piston 
1-3  seats 
4+  seats 

Twin  Engine,  Piston 
1-6  seats 
7+  seats 


Turboprop 


TOTAL 


PERCENT  OF  NMAC 
WITH  GA 

AIRCRAFT  THIS  TYPE 


TRANSPONDER 
EQUIPPED  (PERCENT 
OF  TYPE)  • 
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the  smallest  class  of  aircraft  compare  favorably  with  those 
given  in  Table  3-2.  That  is,  the  transponder  equipage  of  those 
aircraft  conflicting  with  an  air  carrier  is  close  to  that  of  the 
national  GA  fleet .  The  exception  involving  small  single  engine 
aircraft  may  indicate  that  many  of  the  unequipped,  small 
aircraft  do  not  become  involved  in  NMACs  with  air  carrier  IFR 
aircraft . 

We  will  assume  that  the  Mode  C  percentages  in  the  GA  fleet 
(Table  3-3)  apply  to  the  GA  aircraft  involved  in  the  NMACs.  By 
combining  the  equipage  of  all  the  types  based  upon  the 
percentage  of  each  involved  (even  for  the  small  aircraft),  it 
was  determined  that  of  the  90  percent  of  transponder  equipped 
general  aviation  aircraft  involved  in  the  NMACs,  56  percent  of 
these  are  Mode  C  equipped.  Furthermore,  assuming  that  all  air 
carrier  and  military  aircraft  are  Mode  C  equipped,  and  assuming 
that  "other”  aircraft  involved  are  no  better  equipped  than 
general  aviation  aircraft,  then  an  overall  equipage  level  can  be 
estimated.  The  result  is  that  92  percent  of  all  aircraft 
involved  in  the  NMACs  are  estimated  to  be  transponder  equipped, 
66  percent  of  which  are  also  Mode  C  equipped. 

As  a  further  check  on  these  numbers,  the  data  obtained  by 
measurement  of  the  airborne  traffic  environment  in  the  Los 
Angeles  basin  was  consulted  (Reference  6).  In  that  case,  85 
percent  of  the  aircraft  were  found  to  be  transponder  equipped, 

68  percent  of  which  were  Mode  C. 

Also,  the  airborne  traffic  observed  over  a  5  hour  period  by  the 
Mode  S  sensor  near  Philadelphia  (Clementon)  showed  that  76 
percent  of  the  transponders  were  Mode  C.  This  data  sample  was 
taken  under  good  visibility  conditions  when  a  substantial  amount 
of  uncontrolled  traffic  was  present. 


All  of  the  above  gives  general  substantiation  of  the  figures 
obtained  from  the  NMACs  and  GA  avionics  statistics  —  92  percent 
transponder  equipage,  66  percent  of  which  are  also  Mode  C  (i.e., 
61  percent  of  aircraft  had  Mode  C  transponders). 

3.1.5  Risk 

Figure  3-2  shows  the  frequency  of  reported  NMACs  occurring  for 
each  year  from  1973  to  1980.  The  bottom  of  each  bar  indicates 
those  NMACs  involving  at  least  one  air  carrier  aircraft.  Recent 
experience  shows  that  about  22  air  carrier  aircraft  are  involved 
in  an  NMAC  each  year  (for  air  carriers  operating  on  an  IFR 
flight  plan,  this  figure  is  about  19) . 

Reference  4  shows  that  air  carriers  fly  approximately 
8  x  10^  hours  per  year,  for  1979  and  1980.  Thus,  this  data 
indicates  that  the  risk  of  an  air  carrier  aircraft  encountering 
an  NMAC  is  about  2.8  xlO  ®  per  hour  of  flight.  (Reference  4 
also  indicates  that  an  average  flight  is  slightly  more  than  one 
hour.  So  the  risk  per  flight  is  roughly  equal  to  the  risk  per 
hour. ) 

For  various  reasons,  some  incidents  will  not  be  reported.  On 
the  other  hand  some  «f  the  encounters  may  have  minimum 
separations  larger  than  100  feet  —  there  is  no  precise  way  of 
measuring  the  distance.  Also,  some  few  air  carrier  operations 
are  not  conducted  on  IFR  flight  plan.  Since  our  major  interest 
is  for  air  carrier  IFR  operations,  these  factors  place  an 
uncertainty  on  the  true  risk.  A  check  of  this  value  will  be 
made  in  later  sections  using  other  data.  However,  as  noted 
earlier,  the  exact  level  of  risk,  while  of  interest,  is  not  a 
key  parameter  in  this  study  since  we  intend  to  evaluate  directly 
the  relative  Risk  Ratio. 
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Data  collected  on  the  on-board  TCAS  recording  system  while  the 
equipment  was  carried  on  normal  Piedmont  operational  flights 
provides  another  source  which  can  be  used  to  further 
characterize  the  environment.  Of  course,  this  data  was  for  an 
air  carrier  flying  under  IFR  all  the  time.  While  these  routes 
did  not  cover  all  possible  cases  —  for  example.  Piedmont  did 
not  fly  transcontinental,  nor  did  they  land  at  small  commuter 
airports  —  they  were  typical  (see  Reference  8) . 

In  order  to  conserve  recording  resources,  the  TCAS  recording 
system  was  automatically  turned  on  only  when  TCAS  activity 
occurred.  This  was  accomplished  by  starting  the  recording 
whenever  the  Traffic  Advisory  criteria  were  met,  and  stopping 
the  recording  10  seconds  after  the  Traffic  Advisory  was 
removed.  Accordingly,  the  Piedmont  data  is  present  only  when  a 
TA  or  RA  is  posted.  Two  distinct  methods  of  data  reduction  were 
used:  the  first  analyzed  only  the  inciting  tracks  —  those 
tracks  which  caused  the  TA  or  RA  — ;  the  second  analyzed  all 
tracks  that  were  in  the  track  file  during  the  time  that  the 
recorder  was  energized. 


3.2.1  Inciting  Tracks 


Whenever  a  TA  or  RA  was  posted,  its  track  was  examined  for  the 
duration  of  the  encounter,  and  various  inferences  were  drawn 
from  this  data  (Reference  9).  The  key  items  obtained  from  this 
investigation  were: 


The  altitude  distribution  of  the  RAs 


The  relative  altitude  distribution  at  the  closest 
point  of  approach 


The  predicted  altitude  crossings  when  the  TCAS 
aircraft  was  level 


I 

•  An  estimate  of  the  risk  of  encountering  an  NMAC 

3. 2.1.1  Altitude  Distribution 

Considering  the  sample  size,  the  distribution  in  altitude  of  the 
RAs  is  roughly  similar  to  that  of  the  NMACs  previously  reported; 
57  percent  occurred  below  10,000  ft  and  one  occurred  as  high  as 
30,000  ft. 

3. 2. 1.2  Relative  Altitude  Distribution 

If  the  tracks  causing  the  RA  are  followed  through  until  the 
closest  point  of  approach,  and  at  that  point  the  relative 
altitude  separation  is  noted,  the  data  in  Figure  3-3  is 
obtained.  While  the  sample  size  is  relatively  small,  (21 
points),  this  distribution  appears  to  be  fairly  uniform  to  about 
1400  ft,  at  which  point  it  tapers  off.  To  inquire  further  into 
the  distribution,  the  TAs  were  examined,  these  are  shown  in 
Figure  3-4.  Here,  the  sample  size  is  larger  (140  points).  Two 
characteristics  of  this  data  are  notable:  first,  the 
distribution  below  700  feet,  or  so,  is,  indeed,  relatively 
uniform;  and  second,  there  is  a  pronounced  peak  at  1000  ft. 
However,  the  peak  in  the  TAs  is  caused  by  the  normal  IFR 
separation,  1000  ft;  the  TA  vertical  threshold,  provided  other 
conditions  are  satisfied,  is  1200  feet. 

The  approximately  uniform  distribution  could  arise  because 
aircraft  actually  are  flying  random  altitudes  (not  too  likely, 
given  the  ATC  system;  and  contradicted  by  the  existence  of  the 
peak  in  TAs  at  1000  ft),  or  it  could  arise  because  frequent 
altitude  transitions  occur.  To  test  this  hypothesis,  an 
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FIGURE  3-3 

RELATIVE  ALTITUDE  DISTRIBUTION  OF  RAs 
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examination  was  made  of  the  vertical  rates  at  the  time  of  the 
TA.  This  is  shown  in  Table  3-4,  where  it  is  seen  that  in  only 
25  percent  of  the  encounters  did  both  aircraft  have  a  vertical 
rate  of  less  than  300  fpm.  The  result  of  vertical  rates  for 
either  aircraft  is  to  spread  out  the  relative  altitudes  at  the 
closest  point  of  approach,  as  observed.  The  uniform 
distribution  phenomenon  is  an  important  result  which  will  be 
used  in  subsequent  analysis. 

Finally,  it  was  noted  that  in  only  one  instance  (4.8  percent  of 
all  RAs)  was  the  vertical  separation  less  than  100  ft. 

3. 2. 1.3  Predicted  Altitude  Crossings  for  Level  TCAS 

The  fraction  of  RAs  for  which  the  TCAS  aircraft  is  level,  and  an 
altitude  crossing  is  predicted  before  the  closest  point  of 
approach,  is  an  important  factor  in  the  environment,  as  will  be 
discussed  in  Section  4.2.  Since  the  number  of  RAs  was  small,  we 
examined  the  TAs  for  which  such  a  crossing  was  predicted. 

It  was  observed  that  when  the  TCAS  aircraft  was  level,  14 
percent  of  all  intruders  were  predicted  to  cross  in  altitude 
between  the  posting  of  the  Traffic  Advisory  and  the  closest 
point  of  approach. 

3. 2. 1.4  Risk 

No  NMACs  were  encountered  during  the  950  flight  hours  of  the 
Piedmont  trials.  However,  RAs  of  some  type  did  occur  about  once 
every  40  hours.  An  estimate  of  the  risk  of  encountering  an  NMAC 
will  be  made  using  this  alarm  rate  together  with  an  estimate  of 
how  often  enountering  aircraft  might  come  within  100  ft 
vertically  and  500  ft  horizontally. 
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TABLE  3-4 

VERTICAL  RATE  CHARACTERISTICS 
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In  Section  3. 2. 1.2  it  was  noted  that  4.8  percent  of  the  RAs 
passed  within  100  ft  vertically  at  the  closest  point  of 
approach.  In  Appendix  B,  an  estimate  is  made  of  the  probability 
that  the  two  aircraft  will  come  within  500  ft  horizontally  of 
each  other,  given  that  an  RA  has  occurred.  This  estimate 
assumes  a  uniform  distribution  of  headings,  and  it  makes  use  of 
the  recorded  maximum  closing  velocity,  which  can  be  obtained 
from  the  data.  On  an  overall  basis  the  estimate  of  the 
probability  of  coming  within  500  ft  horizontally,  given  that  an 
RA  is  being  generated,  is  .028.  Assuming  that  the  horizontal 
and  vertical  proximity  probabilities  are  independent,  the 
resulting  risk  of  an  NMAC  is  1/40  x  .048  x  .028  ■  3.4  x  10  ^ 
per  hour.  Section  3.1.5  also  obtained  an  estimate  of  this 
risk.  After  one  more  estimate  is  obtained,  all  three  will  be 
combined. 

3.2.2  All  Tracks 

In  addition  to  the  track  causing  the  TA  or  RA,  the  recorder 
maintains  records  of  all  tracks  in  view.  This  enables  one  to 
develop  a  significantly  larger  data  base  than  the  140  TAs.  It 
does,  however,  require  a  large  amount  of  time  and  computer 
resources  to  interpret  and  utilize  this  data.  A  sampling 
approach  was  taken  whereby  an  80-second  window  was  opened  when 
the  recorder  started.  Only  one  window  was  permitted  for  each 
TA.  A  new  TA  —  occurring  minutes,  hours,  or  days  later  — 
opened  a  new  window  of  data  for  analysis.  Each  track  in  the 
window  was  sampled  5  times  across  its  extent.  (Many  tracks 
lasted  for  a  much  shorter  time  than  the  80-second  window;  none 
were  used  if  they  lasted  less  than  16  seconds.)  The  tracks  were 
then  classified  as  being  "level"  (less  than  480  fpm  vertical 
rate),  "constant  rate",  or  "accelerating"  (any  change  of  480  fpm 
or  more) .  The  characteristics  that  are  needed  will  be  shown 
later 


in  Section  4.2.  It  was  noted,  however,  that  the  fraction  of 
level  tracks  and  the  fraction  of  those  that  are  projected  to 
cross  in  altitude  are  comparable  with  those  of  the  inciting 
tracks  just  discussed  in  Section  3. 2. 1.3. 

3.3  TCAS  Data  From  FAA  Flights 

Data  collected  from  previous  TCAS  flight  tests  utilizing  FAA 
Technical  Center  aircraft  were  analyzed  to  determine  the 
following  characteristics  of  the  traffic  environment: 

•  Distribution  of  horizontal  and  vertical  separation  at 
Closest  Point  of  Approach  (CPA) 

•  Distribution  of  vertical  rate  estimates 

•  Frequency  and  type  of  vertical  profile  changes 

•  Probability  of  an  NMAC 

The  data  base  for  this  analysis  is  ten  flight  tests  conducted 
between  19  August  and  28  October,  1981.  Air  Traffic  Control 
Radar  Beacon  System  (ATCRBS)  surveillance  messages  were  recorded 
by  the  Dalmo  Victor  on-board  flight  recording  system.  Unlike 
the  Piedmont  flights,  this  TCAS  data  recording  was  continuous, 
with  all  tracks  associated  with  targets  within  TCAS  surveillance 
being  analyzed.  There  were  316,777  ATCRBS  surveillance  messages 
and  7,748  unique  ATCRBS  tracks.  Of  these,  555  were  tracks  of 
aircraft  on  the  ground.  The  majority  of  these  ground  tracks 
would  not  have  caused  alarm  actions  because  of  radar  altimeter 
filtering  of  threats  on  the  ground  (not  implemented  at  the  time 
of  the  flights,  however),  so  they  were  manually  removed  from  the 
data  base.  To  facilitate  analysis,  a  subset  of  the  data  base 


was  created  which  was  composed  of  all  tracks  with  at  least  10 
good  Mode  C  reports.  The  total  data  base  included  92,261  TCAS 
cycles,  equivalent  to  25.6  hours  of  flight  data.  This  flight 
data  contained  88  track  hours  of  data  suitable  for  analysis. 
Table  3-5  presents  the  statistics  associated  with  each  test 
flight. 

The  majority  of  the  flights  were  conducted  at  the  FAA  Technical 
Center.  These  flight  tests  were  performed  to  evaluate  the 
command  resolution  logic  of  the  Dalmo  Victor  TCAS  System.  A 
TCAS  equipped  aircraft  and  an  unequipped  aircraft  (altitude 
reporting  transponder  only)  were  used  in  these  flight  tests. 

The  intruder  aircraft  could  perform  as  either  an  ATCRBS  intruder 
or  a  Mode  S  intruder.  (The  October  16  flight  test  was  performed 
primarily  to  evaluate  the  TCAS  resolution  logic  between  two  TCAS 
equipped  aircraft.)  Two  test  flights  were  performed  in  high 
density  airspace.  Low  approaches  were  flown  at  Chicago  O' Hare 
Airport,  and  14  planned  encounters  were  flown  in  the  Washington, 
D.C.  area.  Thirteen  additional  encounters  would  have  been 
observed  at  Chicago,  if  the  "radar  altimeter  filter"  had  not 
been  applied.  For  all  ten  flights,  153  resolution  encounters 
occurred,  using  the  TCAS  logic  of  April  1982.  Of  the  153 
resolution  encounters,  almost  all  were  preplanned.  The  only 
encounters  of  opportunity  were  five  in  Chicago,  five  in 
Washington,  D.C.,  and  eight  which  occurred  on  the  numerous 
flights  in  the  Atlantic  City  area. 

The  duration  of  tracks  declared  suitable  for  analysis  was 
obtained.  The  average  duration  was  approximately  100  seconds. 
Figure  3-5  presents  the  distribution  of  track  durations.  (Note 
the  abscissa  does  uot  have  a  constant  scale.) 


**  Includes  Mode  S  encounters. 
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FIGURE  3-5 

HISTOGRAMS  OF  ATCRBS  SURVEILLANCE  TRACK  DURATIONS 


After  identifying  the  tracks  which  were  suitable  for  analysis,  a 
technique  was  developed  to  obtain  accurate  vertical  position  and 
vertical  rate  estimates  based  on  the  entire  track  history.  A 
seven  point  moving  polynomial  fit  was  t-sed  to  provide  smoothed 
position  and  rate  estimates  from  the  Mode  C  report  history. 

This  technique  provided  considerably  more  accurate  information 
than  could  have  been  obtained  using  the  results  of  the 
predictive  altitude  tracker  in  the  TCAS  surveillance  system. 

The  polynomial  fit  technique  takes  advantage  of  all  subsequent 
reports  associated  with  each  track.  Since  the  range  information 
is  not  quantized  as  coarsely  as  the  altitude,  data  from  the  TCAS 
range  tracker  is  more  accurate  and  was  used  without  additional 
smoothing. 

3.3.1  Distribution  of  CPA  Conditions  and  Aircraft  Density 
Impact 

Figure  3-6  presents  the  cumulative  distributions  for  the 
horizontal  separations  at  the  closest  point  of  approach  (CPA) 
for  each  of  the  three  test  locations.  Up  to  a  range  of  2.6 
nautical  miles,  little  difference  in  the  distributions  can  be 
detected.  Beyond  this  range,  however,  the  density  effects 
become  apparent.  The  probability  of  horizontal  separation  being 
less  than  6  nautical  miles  in  Chicago  is  more  than  twice  the 
probability  in  the  Atlantic  City  area.  The  lack  of  a  density 
effect  on  the  distributions  for  ranges  less  than  2.6  nautical 
miles  reflects  the  influence  of  the  Air  Traffic  Control  System. 
Figure  3-6  can  be  used  to  assign  probabilities  to  hypothesized 
encounter  range  conditions  for  the  System  Safety  study. 


In  Figure  3-7,  the  cumulative  probabilities  of  the  vertical 
separation  at  CPA  are  shown.  Several  points  should  be  noted. 

The  density  effect  is  apparent  for  all  vertical  separations. 

The  probability  of  an  aircraft  passing  within  500  feet 
vertically  at  CPA  is  almost  twice  as  high  in  Chicago  and 
Washington,  D.C.,  as  it  was  at  the  FAA  Technical  Center.  An 
interesting  point  to  be  made  is  the  comparison  of  the  cumulative 
probabilities  at  1200  feet,  the  vertical  threshold  for  proximity 
advisories.  More  than  1/3  of  all  tracks  in  the  Chicago  area 
satisfy  this  condition  compared  to  less  than  15  percent  of 
tracks  in  the  Atlantic  City  area. 

All  three  distributions  shown  are  almost  uniform  up  to  about  900 
feet  vertical  separation;  the  uniformity  continues  beyond  1400 
feet  for  the  more  dense  environments  in  Washington,  D.C.,  and 
Chicago.  The  results  of  a  chi-squared  goodness-of-fit  test  (5 
percent  level  of  significance)  on  the  Chicago  and  Washington 
distribution  between  zero  and  1000  ft,  support  the  hypothesis  of 
a  uniform  distribution.  It  was  not  meaningful  to  perform  a 
similar  analysis  on  the  data  at  the  FAA  Technical  Center  because 
of  the  high  incidence  of  planned  encounters  there.  The  results 
of  this  analysis  are  consistent  with  those  presented  previously 
in  Section  3.2.  The  analysis  of  vertical  and  horizontal  CPA 
conditions  indicates  that,  as  the  density  increases,  the 
vertical  separation  distribution  at  CPA  is  affected  more  than 
the  horizontal  separation  distribution. 

The  assumption  of  independence  of  horizontal  and  vertical 
separation  components  at  CPA  is  strongly  supported  by 
statistical  tests.  The  correlation  coefficient  is  .0177  for  the 
nonparametric  Spearman  rank-order  statistic  where  0  implies 


Chicago 

Washington,  D.C 


no  correlation,  +1  implies  perfect  positive  correlation,  and  -1 
Implies  perfect  negative  correlation.  Several  other  tests  were 
made  with  equally  strong  rejection  of  dependence. 


Secondary  encounters  as  a  result  of  aircraft  responding  to  TCAS 
RAs  have  not  been  observed  on  the  Technical  Center  Test  Flights 
(25  hrs)  or  in  simulations  of  TCAS  in  terminal  environments  (44 
hrs)  at  the  ATC  simulation  facility  in  Atlantic  City. 

Simulation  of  2D  logic  at  both  Chicago  (Reference  11)  and 
Knoxville  (Reference  12)  and  simulation  of  vertical  logic  at 
Knoxville  (Reference  13)  under  IFR  and  VFR  conditions  resulted 
in  no  secondary  encounters. 

3.3.2  Vertical  Rates 

The  final  information  obtained  on  the  entire  track  data  base  was 
the  distribution  of  vertical  rates.  The  rate  estimates  were 
obtained  on  a  per  scan  basis  and  represent  the  time  distribution 
of  vertical  rates.  Table  3-6  presents  the  vertical  rate 
distributions  for  each  flight.  A  fairly  consistent  60  percent 
of  the  vertical  rate  estimates  reflect  level  or  nearly  level 
(0-300  fpm)  aircraft.  (This  compares  favorably  with  the  56 
percent  noted  previously  from  the  Piedmont  data  in  Table  3-4.) 
About  22  percent  of  the  rate  estimates  fell  in  the  600  to  1500 
feet  per  minute  range.  The  highest  observed  climb  rate  was  4200 
feet  per  minute.  Descent  rates  in  excess  of  6000  feet  per 
minute  were  only  observed  during  planned  encounter  scenarios. 

The  highest  descent  rate  not  associated  with  a  planned  scenario 
was  2900  feet  per  minute. 

3.3.3  Vertical  Profile  Changes 

An  important  question  is  the  probability  of  change  in  the 
vertical  profile  of  aircraft  being  tracked  by  TCAS.  Using  the 
previously  discussed  polynomial  fit  of  data,  a  method  of 
detecting  changes  in  the  vertical  profile  was  developed.  A 
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track  or  portion  of  a  track  was  declared  level  when  the  maximum 
vertical  displacement  in  the  tracked  position  did  not  exceed  150 
feet.  A  change  in  vertical  profile  was  declared  when  the 
variation  in  the  error  of  the  polynomial  fit  exceeded  a 
specified  threshold. 


Once  a  profile  was  declared,  the  track  was  split  into  track 
segments  by  the  profile  change.  The  three  vertical  profiles  are 
climb,  level,  and  descend.  Profile  changes  are  classified  in 
Table  3-7  into  one  of  four  subpopulations;  level  to  climb,  level 
to  descend,  climb  to  level,  and  descend  to  level.  If  a  track 
exhibited  no  profile  change,  it  was  classed  as  either  level, 
climbing,  or  descending. 


Over  65  percent  of  the  tracks  exhibited  no  profile  changes.  The 
remaining  tracks  exhibited  one  or  more  profile  changes.  If  a 
track  exhibited  a  climb  and  then  a  descend,  two  profile  changes 
were  declared;  climb  to  level,  and  level  to  descend.  A  sequence 
seen  on  the  Chicago  tape  was  a  descent  to  about  2400  ft  MSL, 
followed  by  a  level  segment  and  then  followed  by  another  descend 
segment.  This  represents  ATC  control  procedures  for  aircraft 
being  vectored  to  the  IIS  final  approach  course  at  Chicago, 
O’Hare.  Almost  twice  as  many  profile  changes  involving  a 
descent  portion  occurred  as  compared  with  profile  changes 
involving  a  climb.  This  again,  is  a  characteristic  of  the  ATC 
environment  in  the  terminal  area.  Only  6  percent  of  the  tracks 
exhibited  more  than  one  profile  change. 

Even  after  the  tracks  are  divided  into  segments  by  the  profile 
changes,  the  average  track  segment  duration  remained  high.  The 
duration  of  level  segments  was  60.2  seconds,  46.9  seconds  for 
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TABLE  3-7 

DISTRIBUTION  OF  VERTICAL  PROFILE  CHARACTERISTICS 
(ALL  TRACKS  BELOW  10,000  FEET  MSL) 


FREQUENCY 

i  PERCENT 

I 

CLIMB 

193 

1 

1  11.7 

LEVEL 

618 

1  37.3 

DESCEND 

302 

1  18.2 

CLIMB  TO  LEVEL 

102 

1  6.2 

DESCEND  TO  LEVEL 

183 

1  11.1 

LEVEL  TO  CLIMB 

92 

1  5.6 

LEVEL  TO  DESCEND 

164 

1  9.9 

1654 

)  100.0 

descend  segments  and  50.2  seconds  for  climb  segments.  The 
minimum  length  segment  was  11  seconds  and  the  maximum  length 
was  484  seconds. 

Of  primary  importance  is  the  probability  of  profile  changes 
occuring  within  the  time  period  the  intruder  may  be  selected 
for  threat  resolution  (approximately  40  seconds).  Figures  3-8 
and  3-9  present  the  probability  of  a  profile  change  for  a  given 
track  length.  To  obtain  the  probability  of  a  profile  change 
during  a  10  second  period,  every  track  was  divided  into 
10-second  increments  and  the  number  of  increments  containing  a 
profile  change  was  tallied.  The  procedure  was  repeated  for  20 
seconds,  and  so  forth.  Figure  3-8  indicates  approximately  one 
track  in  12  above  10,000  feet  MSL  would  include  a  profile 
change  during  a  40  second  period.  Similarly,  about  one  track 
in  eight  below  10,000  feet  would  contain  a  profile  change 
during  a  40  second  period. 

Use  of  the  preceding  information  for  determining  probability  at 
any  instant  in  time  of  a  potential  vertical  fake-out  maneuver 
is  shown  in  Appendix  C. 

Examination  of  TCAS  surveillance  data  indicates  that  the 
probability  of  a  profile  change  relative  to  the  TCAS  aircraft 
is  more  dependent  upon  the  flight  environment  than  upon 
proximity  to  the  TCAS  aircraft.  For  the  Chicago  and  Atlantic 
City  test  flights,  the  probability  of  a  profile  change  of  a 
tracked  aircraft  can  be  considered  uniform  in  both  range  and 
altitude.  The  dashed  lines  in  Figures  3-10  and  3-11  are  a 
normalized  probability  which  attempts  to  factor  out  the 
increased  areas  of  coverage,  and  therefore  increasing  number  of 
tracks,  as  range  increases.  The  significant  point  discovered 
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FIGURE  3-10 

PROBABILITY  OF  A  PROFILE  CHANGE  WITH  RANGE 
FROM  TCAS  AIRCRAFT  (CHICAGO  AND  ATLANTIC  CITY) 
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in  this  approach  was  the  high  probability  at  2  nmi  for  a  profile 
change  in  the  Washington  environment.  This  is  due  to  the 
arrival  pattern,  stop  descents,  and  operational  procedures 
employed  for  the  crossing  runways  at  Washington.  Although  the 
actual  distribution  of  where  profile  changes  occur  change  with 
environment,  it  is  reasonable  to  assume  a  uniform  distribution 
across  both  range  and  altitude  for  use  in  the  fault  tree 
analysis  since  this  is  the  most  likely  situation  to  be 
encountered . 

The  peak  accelerations  during  the  profile  changes  were  also 
reviewed.  Acceleration  distributions  were  developed  for  each  of 
the  four  profile  changes.  The  distributions  are  shown  in 
Figure  3-12.  The  modes  of  the  positive  g  maneuvers,  level  to 
climb,  and  descend  to  level,  are  higher  than  the  modes  of  the 
negative  g  maneuvers.  This  is  expected.  Point  estimates  for 
critical  values  for  each  of  the  acceleration  distributions  are 
shown  in  Table  3-8. 

Results  indicate  that  3/4  of  all  accelerations  are  less  than  1/5 

g,  with  average  accelerations  slightly  greater  than  1/8  g.  The 

75th  and  90th  percentile  points  are  larger  for  the  positive  g 

maneuvers  than  for  the  negative  g  maneuvers.  When  all 

accelerations  are  grouped  together,  95  percent  of  the  time  the 

2 

magnitude  is  less  than  12  feet/second  (0.37g). 

3.3.4  Estimated  Risk  of  Encountering  an  NMAC 

The  uniform  altitude  distribution  can  be  used  to  estimate  the 
risk  of  encountering  a  critical  NMAC,  based  on  the  Chicago  data, 
which  had  no  planned  encounters.  Figure  3-6  gave  the 
probability  of  a  horizontal  approach  to  within  0.2  nmi  to  be 
.002.  Although  not  shown  on  Figure  3-6,  the  data  tabulation 
shows  that  probability  to  be  .0005  within  0.1  nmi. 
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Figure  3-7  shows  the  probability  of  a  vertical  separation  of  100 
ft  or  less  to  be  .031.  Table  3-5  showed  the  total  time  in  the 
Chicago  area  to  be  13,251  seconds  (3.7  hr).  The  risk  of 
encountering  an  NMAC  is  therefore:  .0005  x  .031  /  3.7  =  4.2  x 
10  ^  per  hour. 

This  compares  favorably  with  the  values  of  3.4  x  10  ^  obtained 
by  using  Piedmont  data,  and  2.8  x  10  ^  obtained  from  the  NMAC 
reports.  Further,  the  operational  experience  of  United  Airlines 
(Appendix  M)  is  5.1  x  10  A  value  of  1  x  10  ^  per  hour 
will  be  used  throughout  the  remainder  of  this  study. 


4. 


ANALYSIS  OF  PRINCIPAL  LIMITATIONS  TO  TCAS 


The  TCAS  system  is  a  cooperative  system  in  that  information  on 
the  intruder  is  obtained  by  interrogating  its  ATC  transponder 
and  then  predicting  whether  the  next  half-minute  or  so  will 
bring  the  aircraft  too  close.  Such  a  system,  as  was  pointed 
out  earlier,  must  consider  some  basic  limitations;  the 
probabilities  of  these  are  evaluated  independently  in  this 
section  for  later  inclusion  in  the  fault  tree.  Other  faults, 
essentially  mechanical  failures,  are  evaluated  in  Section  5. 
Later,  in  Section  7,  the  interaction  of  all  elements  of  the 
environment  will  be  explored  to  arrive  at  an  overall  evaluation 
of  risk.  The  three  principal  limitations  to  be  evaluated  here 
are:  (1)  the  effect  of  aircraft  without  transponders 

interacting  with  TCAS,  (2)  the  effect  of  altimetry  errors,  and 
(3)  the  effect  of  sudden  maneuvers  by  the  intruder. 

4.1  Intruders  Without  Mode  C  Transponders 
Section  3.1.4  estimated  that  61  percent  of  the  intruders 
involved  in  an  NMAC  would  have  Mode  C  altitude  reporting.  This 
represents  the  maximum  benefit  that  the  TCAS  Resolution 
Advisory  could  provide  in  today's  environment.  That  is,  at 
best,  61  percent  of  the  current  NMACs  could  be  avoided  with 
today's  level  of  equipage. 

It  was  noted,  however,  that  a  large  fraction  of  the  aircraft 
involved  in  NMACs  have  transponders  (92  percent),  even  if  they 
do  not  have  Mode  C.  If  the  non-Mode  C  tracking  feature  were 
available  in  TCAS,  "altitude  unknown”  Traffic  Advisories  could 
be  provided.  If  the  intruder  is  really  on  a  near  collision 
course,  this  feature,  patterned  after  the  ATC  practice  of 
announcing  traffic  of  concern,  should  be  helpful  in  alerting 
the  TCAS  pilot. 
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4.2  The  Effect  of  Altimetry  Errors 

The  susceptibility  of  TCAS  to  error  in  reported  altimetry  can 
be  evaluated  by  analyzing,  for  "proximate  encounters"  those 
combinations  of  encounter  geometry  and  altimetry  error  that 
would  produce  a  resolution  advisory  which,  if  followed,  would 
result  in  less  than  100  ft  vertical  separation.  The  hazardous 
situation  (NMAC)  will  then  exist  if  the  aircraft  are  also  in 
close  horizontal  proximity. 

4.2.1  Methodology 

Some  combinations  of  altimetry  error  and  altitude  separation 
can  render  TCAS  ineffective  —  the  NMAC  will  occur  regardless. 
Other  combinations  exist  for  which  TCAS  would  degrade 
separation,  actually  inducing  an  NMAC.  Therefore,  to  have  an 
NMAC  with  TCAS  one  of  two  conditions  must  exist: 

1.  In  the  absence  of  TCAS,  an  NMAC  would  have  occurred; 
altimetry  error  renders  TCAS  ineffective. 

2.  In  the  absence  of  TCAS,  a  proximate  encounter  would 
have  occurred  (close  horizontally  and  greater  than  100 
ft  vertically);  altimetry  error  results  in  TCAS 
generating  an  RA  that  produces  an  NMAC. 

One  can  take  a  large  enough  region  of  vertical  separation,  say 
1000  ft,  determine  the  number  of  proximate  encounters  in  terms 
of  the  pre-existing  NMAC  encounters,  and  then  find  the  fraction 
of  combinations  of  altimetry  error  and  vertical  separation  for 
these  encounters  that  would  result  in  an  NMAC.  (The  value  of 
1000  ft  is  large  enough  to  account  for  the  anticipated 
magnitudes  of  altimetry  error  and  desired  vertical  separation.) 
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In  Section  3,  the  vertical  separation  of  aircraft  at  their 
closest  point  of  approach  was  determined  —  it  is  essentially  a 
uniform  distribution.  This  characteristic  behavior  was 
observed  both  on  the  Piedmont  flights  and  on  the  FAA  flights. 
Based  on  that  vertical  distribution,  we  obtain  the  risk  of  a 
proximate  encounter  by  multiplying  the  number  of  NMACs  by  ten 
(10  times  100  ft  equals  1000  ft),  as  illustrated  in  Figure 
4-1.  (There  is  no  change  in  the  horizontal  dimension.)  Then 
we  can  determine  what  fraction  of  those  encounters  would  come 
within  100  ft  (an  NMAC)  because  of  TCAS  altimetry  errors.  If 
the  error  were  zero,  none  would  —  if  the  advisory  were 
followed,  the  objective  separation  of  ALIM  plus  some  margin 
would  be  achieved. 

The  measure  of  comparison  of  the  risk  of  encountering  a 
critical  NMAC  with  TCAS  to  that  without  TCAS  is  called  the  Risk 
Ratio.  In  this  case,  a  non-zero  Risk  Ratio  is  caused  solely  by 
altimetry  error.  Later,  other  factors  will  be  included. 

Figure  4-2  shows  the  geometrical  relations,  at  the  time  of  the 
start  of  the  RA,  that  exist  for  a  TCAS  encounter  in  level 
flight.  As  sketched,  the  intruder  is  projected  to  pass  d  ft 
above  the  TCAS;  however,  the  reported  error,  e,  makes  it  appear 
to  TCAS  that  the  apparent  separation  would  be  (d+e).  If  the 
aircraft  have  linear  vertical  rates,  the  effect  is  essentially 
the  same  as  for  level  flight,  except  that  d  is  the  predicted 
separation  at  the  closest  point  of  approach. 

In  ideal  operation,  with  no  altimetry  error,  the  TCAS  aircraft 
would  descend  if  d  were  positive  and  climb  if  it  were 
negative.  The  RA  would  stay  posted  until  the  true  separation. 
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FIGURE  4-2 

ENCOUNTER  GEOMETRY 


d,  increased  to  the  parameter  ALIM  (plus  some  margin),  at  which 
time  the  RA  changes  from  corrective  to  preventive.  The  time 
available  for  this  maneuver  is  TAU  seconds.  In  actual 
operation  the  true  separation,  d,  is  not  known,  only  the 
apparent  separation  (d+e).  The  rules  are  the  same  as  just 
described,  but  the  effect  depends  on  the  magnitude  of  the  error. 

To  help  understand  and  evaluate  this  effect,  we  plot  the  true 
separation  and  the  error  as  in  Figure  4-3,  the  d-e  plane.  The 
ordinate,  d,  is  the  actual  vertical  separation.  On  the  left 
side  of  the  figure  the  distribution  of  d  is  shown  as  being 
uniform,  as  was  found  in  Section  3.  The  abscissa,  e,  is  the 
altimetry  error.  Its  distribution,  illustrated  at  the  bottom 
of  the  figure,  is  shown  as  Gaussian  with  a  zero  mean  and  a 
standard  deviation  of  sigma,  the  latter  being  evaluated  as  the 
square  root  of  the  sum  of  the  squares  of  own  error,  intruder 
error,  and  tracking  bias  error.  The  approach  will  be  to  define 
those  regions  which  could  lead  to  less  than  100  ft  separation 
(an  NMAC) . 

The  lines  shown  on  the  d-e  plane  are  of  importance  when 
considering  the  relation  between  the  actual  encounter  geometry 
and  the  Resolution  Advisory  when  it  is  first  posted.  The 
horizontal  lines  at  +  ALIM  are  the  nominal  objectives  for 
separation  that  TCAS  is  intended  to  achieve.  The  vertical 
lines  at  +  ALIM  indicate  values  of  error  in  reported  altitude 
of  this  magnitude.  The  diagonal  lines  denote  constant  values 
of  apparent  separation  (before  the  TCAS  aircraft  starts  a 
corrective  maneuver)  as  determined  for  various  degrees  of 
erroneous  altimetry. 


Figure  4-4  is  a  repeat  of  the  previous  figure,  but  with  some 
additional  regions  identified.  The  two  horizontal  lines  at 
d  ■  +  100  ft  define  the  extent  of  NMACs  without  TCAS  —  the 
aircraft  come  within  100  ft  and  the  altimetry  error  is  not  a 
factor. 

In  the  shaded  areas,  the  error  is  in  the  direction  opposite  to 
the  separation  and  of  a  larger  magnitude,  so  that  an  intruder 
actually  above  the  TCAS  will  appear  below,  and  vice  versa. 

That  is,  e  is  less  than  -d  for  d  greater  than  0,  and  e  is 
greater  than  -d  for  d  less  than  0.  Advisories  occurring  in 
these  regions  provide  a  "wrong  way”  direction,  which  may  or  may 
not  lead  to  an  NMAC,  as  will  be  shown.  In  unshaded  areas 
between  the  diagonal  lines  the  error  is  in  the  same  direction 
as  the  separation,  and  so  has  no  effect  on  the  fault  mechanisms 
of  TCAS.  Outside  of  the  diagonal  lines  positive  (corrective) 
advisories  are  not  generated  since  the  reported  separation 
(d+e)  appears  larger  than  ALIM. 


4.2.2  Preliminary  Analysis 

The  effects  of  altimetry  error  on  TCAS  can  now  be  illustrated. 
Figure  4-5a  shows  the  cross  hatched  regions  where  the  error  is 
such  that,  if  an  NMAC  were  to  occur,  it  would  not  be  resolved. 
Outside  of  the  diagonal  lines  the  error  is  so  great  that,  even 
though  the  true  separation  (d)  is  within  100  ft  (an  NMAC 
without  TCAS),  the  apparent  separation  (d+e)  is  greater  than 
ALIM,  so  no  corrective  RA  Is  given.  Inside  the  diagonal  lines 
the  apparent  separation  is  within  ALIM  and  a  corrective  RA  is 
given,  but  it  will  be  prematurely  removed  before  d  exceeds  100 
ft.  The  unshaded  regions  between  d  *  +100  ft  are  where  TCAS 
does  resolve  NMACs.  as  intended. 


(a)  Regions  where  TCAS  Fails  to  Resolve  a  Critical  NMAC 
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Action 


(1)  RA  stays  on  until  true 
separation  exceeds  100  ft 

(2)  RA  removed  before  true 
separation  reduced  to  100  ft 


(b)  Regions  Where  TCAS  Would  Induce  a  Critical  NMAC 
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REGIONS  OF  ALTIMETRY  FAILURE 


The  more  serious  concern,  that  of  TCAS  inducing  an  NMAC,  is 
illustrated  by  the  shaded  regions  in  Figure  4-5b.  For  these 
regions,  the  intruder  appears  to  be  in  the  opposite  direction 
of  his  true  separation,  which  originally  was  greater  than  100 
ft  (i.e.,  would  not  have  constituted  a  critical  near  midair 
collision).  The  width  of  shaded  regions  along  the  e  axis  is  + 
100  ft.  If  the  error  is  less  than  the  value  at  the  region 
boundary  (|e|  less  than  (ALIM-100)),  a  "wrong  way”  advisory 
occurs,  but  it  stays  posted  until  the  true  separation  is 
greater  than  100  ft  (unshaded  regions  1) .  If  the  error  is 
larger  (|e|  is  greater  than  (ALIM+100)),  d  is  initially  large, 
and  the  wrong  way  advisory  is  removed  before  the  separation 
decreases  to  100  ft  (unshaded  regions  2). 

One  more  step  remains  before  we  are  ready  to  apply  these 
concepts  to  calculate  the  Risk  Ratio  —  we  must  determine  the 
relative  probability  of  being  at  any  point  in  the  d-e  plane. 
Figure  4-6  illustrates  the  approach  already  implied.  Figure 
4 -6a  is  a  section  of  the  plane  that  covers  the  region  of 
interest  —  we  used  +  1000  ft  in  the  vertical  dimension  and 
+  1000  ft  error.  Figure  4-6b  plots  the  distribution  —  uniform 
in  d  and  Gaussian  in  e.  (The  figure  has  been  rotated  and 
tilted  to  make  the  three-dimensional  effect  more  apparent.) 

The  integral  (volume)  of  Figure  4-6b  is  essentially  unity. 

(For  practical  purposes,  all  possible  events  occur  within  the 
+1000  ft  by  +1000  ft  square.) 

The  first  step  in  computing  the  Risk  Ratio  is  to  normalize  all 
effects  to  the  situation  that  exists  without  TCAS.  This  is 
done  in  Figure  4-7.  All  proximate  encounters  that  come  within 
the  +100  ft  altitude  band  shown  are  the  NMACs  that  occur  in  the 
absence  of  TCAS.  The  volume  of  Figure  4-7b  is,  of  course. 


one-tenth  of  Figure  4-6b,  and  will  be  used  to  normalize  all 
further  cases. 

Figure  4-8  shows  the  regions  on  the  d-e  plane  where  altimetry 
errors  defeat  TCAS  operation.  The  cross  hatched  regions  in 
Figure  4-8a  are  those  in  which  TCAS  does  not  prevent  an  NMAC 
from  occurring.  The  dark  gray  regions  are  those  in  which  TCAS 
could  Induce  an  NMAC.  For  purposes  of  illustration,  this 
figure  was  drawn  for  the  case  of  ALIM  =  340  ft,  sigma  =  150  ft, 
and  the  advisory  is  kept  posted  until  an  indicated  separation 
of  ALIM  +75  ft  is  achieved.  Keeping  the  advisory  posted  for 
indicated  separations  DELTA  (a  parameter  in  the  logic)  larger 
than  ALIM  moves  the  grey  regions  out  to  the  lower 
probabilities,  and  so  achieves  a  reduction  in  the  Risk  Ratio, 
which  is  computed  as  the  volume  of  Figure  4-8b  divided  by  that 
of  Figure  4-7b.  Increasing  ALIM  would  also  reduce  the  Risk 
Ratio,  but  too  much  an  increase  would  also  Increase  the 
unwanted  alarm  rate.  Figure  4-9  is  a  plot  of  the  Risk  Ratio 
with  varying  amounts  of  DELTA. 

As  a  contrast,  if  the  corrective  advisory  were  retained  until 
the  TCAS  aircraft  achieves  a  fixed  vertical  displacement  of 
DISP  ft,  the  situation  changes  as  shown  in  Figure  4-10.  These 
figures  have  been  drawn  for  ALIM  *  340  ft,  sigma  =  150  ft,  and 
DISP  *=  340  ft.  The  region  in  which  TCAS  can  induce  an  NMAC  is 
located  in  lower  probability  regions.  Figure  4-11  is  a  plot  of 
the  Risk  Ratio  for  different  values  of  displacement. 

When  using  the  techniques  of  the  fault  tree,  in  Section  7,  we 
will  evaluate  separately  the  probabilities  of  TCAS  not 
resolving  an  NMAC  and  of  TCAS  inducing  an  NMAC.  Further,  to  be 
consistent  throughout  the  evaluation,  we  compare  all  faults  to 
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FIGURE  4-11 

VARIATION  OF  RISK  RATIO  WITH  FIXED  DISPLACEMENTS 


to  the  same  basis,  an  NMAC  in  the  absence  of  TCAS  (i.e.,  Risk 
Ratio) . 


All  the  preceding  discussion  assumes  that  the  aircraft  actually 
moves  the  desired  amount.  For  example,  if  the  error  is  zero 
and  the  aircraft  are  coaltitude,  the  TCAS  advisory  would  remain 
on  until  a  displacement  of  ALIM  +  DELTA  is  achieved.  Under 
some  conditions  it  is  possible  that  the  aircraft  may  not  be 
able  to  achieve  that  displacement  in  the  time  available  (TAU 
seconds) .  However,  there  will  often  be  some  initial 
separation,  so  less  displacement  than  ALIM  would  suffice. 

Also,  less  displacement  may  still  suffice  as  long  as  it 
prevents  the  critical  NMAC  (greater  than  100  ft  separation). 

Thus,  new  regions  on  the  d-e  plane  would  become  failures  If  the 
aircraft  cannot  maneuver  the  desired  amount.  The  effect  of  a 
limited  maneuver  capability  can  be  calculated  as  an  additional 
Risk  Ratio,  to  be  added  to  that  caused  by  altimetry  error. 
Figure  4-12  shows  this  additional  Risk  Ratio  as  a  function  of 
the  achievable  displacement  to  vertical  rate  for  a  given  TAU. 
For  this  scale,  a  delay  of  five  seconds  and  an  acceleration  of 
1/4  g  from  level  to  a  constant  vertical  velocity  was  assumed. 
For  example,  if  500  ft  were  the  desired  displacement  objective 
and  only  450  ft  could  be  attained  (approximately  1500  fpm  would 
provide  450  ft  in  25  seconds),  there  would  be  very  little  loss, 
about  .001,  or  .1  percent.  However,  if  only  400  ft  were 
obtained,  the  loss  would  add  1  percent  to  the  Risk  Ratio. 

4.2.4  Evaluation 

Having  established  the  relationships  between  the  various 
factors  of  TCAS  performance  and  altimetry  error,  we  are  now  in 
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EFFECT  OF  LIMITED  MANEUVER  CAPABILITY 


a  position  to  obtain  the  values  of  some  probabilities  to  be 
used  in  the  TCAS  fault  tree. 

In  Appendix  K  an  extensive  evaluation  of  the  standard  deviation 
of  altimetry  error  is  made.  There  it  is  shown  that  there  are 
two  principal  characterizations  of  error  depending  on  whether 
the  system  does  or  does  not  have  compensation  for  various 
errors  (principally  static  source  error).  Specifically,  the 
air  data  computer  corrected  altimetry  systems  often  provide 
altimetry  data  in  conformance  with  the  performance  standards 
specified  in  the  ARINC  Characteristics  for  Air  Data  Systems 
(References  18-22).  Baseline  altimetry  system  equipment,  on 
the  other  hand,  is  largely  controlled  by  the  Federal  Aviation 
Regulations  (FARs)  and  is  found  primarily  among  GA  aircraft. 
Tables  4-1  and  4-2,  repeated  from  Appendix  K,  provide  the 
standard  deviations  of  altimetry  error  for  the  corrected  and 
non-corrected  systems,  respectively. 

4. 2. 4.1  Basic  Conditions 

The  data  on  altimetry  error,  together  with  a  numerical 
integration  of  the  error  probabilities,  as  discussed  in  the 
preceeding  section,  provide  the  desired  results.  This 
evaluation  will  assume  the  TCAS  altimetry  error  to  be  described 
by  the  air  carrier  results,  and  the  intruder  error  to  be  of 
general  aviation  quality.  We  RSS  the  TCAS  altimetry  error,  the 
intruder  altimetry  error,  and  a  150  fpm  tracking  bias  error, 
the  latter  being  equivalent  to  a  safety  margin.  Then 
performing  the  integration  produces  the  results  in  Table  4-3. 

The  resulting  effect  depends  on  altitude,  both  because  of  the 
gradual  increase  of  altimetry  error  with  altitude  and  because 
of  the  stepped  thresholds  (ALIM),  which  were  introduced  to 
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EFFECTS  OF  ALTIMETRY  ERRORS 


ALT. 

l 

1  ALIM 

l 

1 

1  RSS 

1  ERROR 

1  (SIGMA) 

1 

i  i 

1  FRACTION  0F| 

INMAC  IN  1  WEIGHTED 

I  ALTITUDE  I  RISK 

RISK  RATIO  IBAND  1  RATIO 

1  1 

5  Kft 

!  340  ft 

1 

1  143  ft 

1 

.0744 

1 

I  .44 

1 

1 

1  .0327 

1 

10 

1  340 

1 

1  156 

1 

.1141 

1 

1  .31 

1 

1 

1  .0354 

1 

15 

1  440 

1  175 

1 

.0554 

1  .17 

1 

1 

1  .0094 

1 

20 

1  640 

1 

1  190 

i 

.0051 

1 

I  .03 

1 

1  .0002 

25 

1  640 

1  206 

1 

.0117 

i  .01 

I  .0001 

30 

1  640 

1 

1  220 
| 

.0210 

1  .03 

| 

I  .0006 
| 

35 

I  740 

1  239 

.0125 

1  .01 

1  .0001 

Total  ■  .0785 
Unresolved  =  .0388 
Induced  =  .0397 


Notes:  Errors  are  1.  Own  altimetry  (A/C  Quality) 

2.  Intruder  altimetry  (GA  Quality) 

3.  150  fpm  tracking  bias  error 


DELTA  =  75  ft 


(Corrective  advisory  is  maintained  until  the 
apparent  separation  is  ALIM  +75  ft) 


4-23 


account  for  that  phenomenon.  The  probability  of  an  NMAC 
occurring  within  the  noted  altitude  bands  was  obtained  from  the 
data  in  Section  3.1.1.  It  can  be  seen  that,  if  all  intruders 
had  uncorrected  altimetry,  the  number  of  NMACs  would  drop  to 
about  8  percent  of  those  that  occur  in  the  absence  of  TCAS . 
About  half  of  these  would  have  been  induced  by  TCAS . 

After  analyzing  the  results,  it  appeared  desirable  and 
convenient  to  obtain  a  substantial  improvement  by  a  modest 
change  to  the  parameter  ALIM.  (The  parameter  DELTA  already  is 
75  ft.)  The  values  of  ALIM  would  increase  from  340  ft  to  400 
ft,  when  the  encounter  is  at  an  altitude  less  than  10,000  ft; 
and  from  440  ft  to  500  ft  when  the  altitude  is  between  10,000 
ft  and  18,000  ft.  The  values  at  higher  altitudes  need  not  be 
altered,  as  they  make  a  very  small  contribution  to  the  total 
risk.  The  result,  as  shown  in  Table  4-4,  is  that  the  number  of 
NMACs  would  further  decrease  to  3  percent  of  those  that  occur 
|  in  the  absence  of  TCAS;  about  half  of  these  would  be  induced 

failures  and  half  would  be  NMACs  that  were  not  resolved. 

4. 2. 4. 2  Exponential  Error  Assumption 

|  A  key  assumption  in  the  evaluation  of  the  effect  of  altimetry 

error  is  the  Gaussian  form  of  the  error  distribution.  If, 
instead,  one  were  to  assume  the  rather  extreme  double-sided 
.  exponential  distribution  with  the  same  standard  deviation 

I  (heavier  weighting  of  the  tails  of  the  distribution),  we  could 

see  the  impact  of  this  assumption.  This  means  changing  from 
the  previously  given  expression, 
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TABLE  4-4 

EFFECTS  OF  ALTIMETRY  ERROR  FOR  MODIFIED  ALIM 


■r.  ■' 
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MH 


> 


FRACTION  OF 


1  ALT. 
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1 

1  ALIM 

1 

I  RSS 

1  ERROR 

1  (SIGMA) 

1 

NMAC  IN 
ALTITUDE 
BAND 

1  1 

1  RISK  | 

I  RATIO  I 

1  1 

WEIGHTED 

RISK 

RATIO 

I  5  Kft 

i 

1  400  ft 

1 

1 

1  143  ft 

1 

.44 

1  1 

1  .0269  | 

I  | 

.0118 

1  10 

1 

1  400 

1 

1 

1  156 

1 

.31 

1  1 

1  .0485  I 

1  1 

.0150 

1  15 

1 

!  500 

1 

1  175 

.17 

1  1 

1  .0231  | 

1  1 
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I  20 

1 

1  640 

1 

1  190 

l 

.03 

1  1 

1  .0051  1 

l  1 

.0002 

1  25 

1 

1  640 

1 

1 

1  206 

.01 

1  1 

1  .0117  | 

i 
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1  30 

1 

1  640 

1  220 

.03 

1  .0210  1 
| 

.0006 

1  35 

1  740 

1  239 

.01 

1  .0125  | 

.0001 

Total 

=  .0317 

Unresolved 

=  .0143 

Induced 

-  .0174 

Notes:  Errors  are  1. 

2. 

3. 


Own  altimetry  (A/C  Quality) 
Intruder  altimetry  (GA  Quality) 
150  fpm  tracking  bias  error 


DELTA  =  75  ft  (Corrective  advisory  is  maintained  until  the 
apparent  separation  is  ALIM  +75  ft) 
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to  the  following: 


f  (e) 


e*P  (-  yr-lfi-  > 


When  this  is  done,  the  result  is  as  shown  in  Table  4-5, 
somewhat  more  than  twice  the  probability  of  the  Gaussian 
assumption. 


4. 2. 4. 3  Air  Carrier  Intruder 

If  the  intruder  is  an  air  carrier  aircraft  instead  of  a  GA 
aircraft,  its  altimetry  is  characterized  by  Table  4-1  instead 
of  Table  4-2.  The  resulting  improvement  in  the  total  RSS  error 
reduces  the  Risk  Ratio  by  an  order  of  magnitude  or  more. 


4.2.5  Altimetry  Error  Summary 

In  Section  3.1  it  was  shown  that  GA  and  "other"  aircraft 
constitute  about  79  percent  of  the  critical  NMAC  incidents. 
Using  the  results  of  Table  4-4  with  that  weighting  factor,  we 
arrive  at  the  conclusion  that,  overall,  the  Risk  Ratio 
introduced  by  altimetry  errors  is  .025.  The  unresolved 
component  is  .011,  and  the  induced  component  is  .014. 


4.3  Effects  of  Maneuvering  Intruders 

One  of  the  principal  concerns  of  the  TCAS  environment  is  the 
problem  of  an  intruder  that  makes  a  sudden  maneuver  just  when 
TCAS  is  about  to  compute  its  Resolution  Advisory.  The  intruder 
maneuver  could  take  place  either  shortly  before  or  after  TCAS 
declares  the  intruder  a  threat.  Several  distinct  classes  of 
encounter  geometries  are  illustrated  in  Figures  4-13,  4-14,  and 
4-15.  Figure  4-13  represents  the  geometry  often  called  the 
"classical  fake-out"  maneuver.  In  this  situation,  TCAS  is 


TABLE  4-5 

EFFECTS  OF  ALTIMETRY  ERROR  FOR  ASSUMED  EXPONENTIAL 
ERROR  DISTRIBUTION 


essentially  level,  while  the  threat  is  converging  with  a 
vertical  rate  sufficiently  high  so  as  to  project  an  altitude 
crossing  before  the  two  aircraft  reach  their  closest  point  of 
approach.  The  TCAS  logic  models  its  "climb"  and  "descend" 
escape  maneuvers*  and  selects  the  one  giving  greater 
separation.  In  this  case,  the  maneuver  moves  TCAS  toward  the 
threat’s  initial  altitude.  There  is  no  hazard  so  long  as  the 
the  threat  continues  its  vertical  rate  for  the  remainder  of  the 
encounter  (typically  25  seconds).  However,  if  the  threat 
levels  off  in  that  time  period,  the  TCAS  escape  may  lead  to  an 
NMAC.  In  retrospect,  the  TCAS  advisory  was  in  the  wrong 
direction,  but  at  the  time  of  sense  selection,  the  intruder 
maneuver  was  not  anticipated  and  the  escape  appeared  to  be  in 
the  best  direction. 

Figure  4-14  shows  a  different  case,  in  which  the  TCAS  aircraft 
has  a  vertical  rate.  If  the  TCAS  advisory  reinforces  the  rate 
(a  "preventive"  positive,  or  "maintain  rate"),  TCAS  cannot 
reasonably  be  faulted  if  an  adverse  intruder  maneuver  causes  an 
NMAC,  since  the  pilot  had  already  selected  the  maneuver.  In 
Figure  4-15,  the  TCAS  aircraft  may  initially  be  level,  as 
shown,  or  may  have  a  vertical  rate.  If  TCAS  acts  to  maintain 
or  to  increase  the  existing  separation,  a  natural  resolution, 
the  intruder  may  still  maneuver  adversely  and  cause  an  NMAC. 
Again,  TCAS  took  the  proper  action.  It  should  be  noted  that 
this  case  generally  requires  a  substantial  maneuver  by  the 
intruder,  in  order  to  overcome  the  initial  separation  and  the 
TCAS  escape  maneuver,  and  still  cause  an  NMAC. 

•In  this  section,  flight  regimes  where  TCAS  cannot  climb  or  cannot 

descend  are  not  considered. 


The  first,  or  "fake-out"  case,  is  the  one  analyzed  in  this 
report.  The  conditions  leading  to  this  scenario,  and  the 
probability  of  its  occurrence,  are  discussed  in  the  subsections 
that  follow. 

A. 3.1  TCAS  Tracking  of  Intruder  Altitude  Rate 
The  task  of  the  vertical  tracker  is  a  difficult  one  —  altitude 
reports  from  a  threat  aircraft  are  quantized  to  100  ft 
intervals;  reports  may  be  missed,  or  rejected  if  corrupted  by 
noise.  The  current  design  was  first  proposed  by  M.I.T.  Lincoln 
Laboratory.  This  design  is  an  inverse  tracker,  in  a  sense, 
because  it  estimates  the  altitude  rate  by  tracking  the  time 
between  the  100-foot  altitude  changes.  The  design  takes  into 
account  several  patterns  of  altitude  reports  observed  in  test 
data,  and  provides  a  confidence  indicator  called  "firmness." 
While  the  tracker  always  attempts  to  classify  each  track  (such 
as  level,  climbing,  or  descending)  and  make  a  best  estimate  of 
rate,  there  are  certain  patterns,  typically  accelerations,  for 
which  the  quantized  reports  are  difficult  to  track.  That  is,  a 
wide  range  of  true  rates  could  produce  the  observed  sequence  of 
reports.  Several  more  seconds  of  reports  normally  clarifies 
the  situation  and  reduces  the  potential  error  in  tracked  rate. 
The  firmness  indicator  tells  when  this  potential  error  is 
large,  and  the  resulting  confidence  in  tracked  rate  is  low. 
Under  these  conditions,  the  detection  and  resolution  functions 
of  the  logic  defer  important  decisions,  principally  the 
selection  of  sense. 

Figure  4-16  illustrates  the  state  of  the  TCAS  vertical  tracker 
when  the  intruder  maneuvers.  The  solid  line  represents  the 
intruder's  true  vertical  profile  as  a  function  of  time.  (TCAS, 
however,  measures  discrete-time  samples  of  this  profile 
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quantized  to  100  ft.)  Four  regions  are  indicated  to  denote 
states  of  tracking,  although  the  length  of  each  depends  upon 
the  particular  track  details.  Region  1  is  the  time  before  the 
maneuver,  when  TCAS  is  assumed  to  be  tracking  "accurately", 
with  accuracy  typical  of  a  high  value  of  firmness.  Region  2 
begins  when  the  intruder  aircraft  begins  to  accelerate,  and 
lasts  until  TCAS  declares  low  firmness.  During  Region  2,  TCAS 
may  or  may  not  begin  to  correct  the  tracked  rate,  but  would  not 
defer  an  advisory.  Region  3  is  the  period  of  low  tracker 
firmness.  It  normally  extends  beyond  the  conclusion  of  the 
actual  maneuver.  Region  4  begins  when  the  tracker  regains  high 
firmness  (confidence)  in  the  new  rate. 

If  the  TCAS  threat  criteria  are  violated  during  Region  4,  the 
maneuver  is  in  the  past,  and  has  no  effect.  If  the  threat 
criteria  are  satisfied  during  Region  3,  low  firmness  delays  the 
advisory.  In  this  case,  the  alert  is  late,  but  sense  selection 
takes  account  of  the  maneuver.  For  some  encounters,  the  alert 
is  not  delayed.  If  one  maneuver  will  provide  satisfactory 
separation  against  the  entire  spread  of  possible  rates,  that 
maneuver  is  selected  Immediately,  despite  the  low  firmness. 

If  the  threat  is  declared  during  Regions  1  or  2,  the  TCAS 
maneuver  is  selected  without  knowledge  of  the  threat  maneuver, 
since  it  either  has  not  begun  or  has  not  been  recognized. 
Therefore,  the  extent  of  Region  2  is  critical,  since  it  extends 
the  potential  window  for  being  foiled.  Simulations  for  various 
rates  and  accelerations  show  that  this  interval  is  not  very 
sensitive  to  the  initial  rate  (for  level-offs),  but  varies 
somewhat  with  acceleration:  3  to  6  seconds  for  ,33g  and  above, 
versus  6  to  14  seconds  for  .15g.  Considerable  variation  within 
these  ranges  was  observed  for  repeated  trials  with  the  same 


rates  and  accelerations,  varying  only  the  absolute  altitude 
within  the  100  ft  quantum.  Maneuvers  from  level  to  a  rate  are 
detected  at  the  first  quantum  change.  This  is  typically  3  to  6 
seconds. 

4.3.2  Threat  Detection  and  Resolution  Logic 
Irrespective  of  the  limitations  of  tracking  the  maneuvers 
discussed  in  the  previous  section,  the  fake-out  leading  to  an 
NMAC  can  only  occur  when  certain  other  conditions  are  also 
satisfied.  First,  TCAS  must  select  the  sense  calling  for 
altitude  crossing.  Second,  TCAS  must  select  a  positive 
advisory  such  that  the  TCAS  aircraft  would  move  toward  the 
threat's  final  altitude. 

These  conditions  occur  only  for  certain  encounter  geometries, 
indicated  in  Figure  4-17.  This  figure  depicts  the  detection 
and  resolution  decisions  made  by  the  logic  as  a  function  of  the 
relative  altitude  and  altitude  rate  of  the  intruder  at  the  time 
of  sense  selection.  The  TCAS  aircraft  is  assumed  level. 

Appendix  J  discusses  this  altitude-altitude-rate  plane  in  more 
detail,  and  explains  the  results  for  each  region  as  indicated 
in  the  figure.  Many  of  the  regions  on  this  plane  do  not  lead 
to  altitude  crossing.  Of  those  advisories  that  do  indicate 
altitude  crossing,  only  the  region  indicated  as  "potential 
fake-out"  gives  a  positive  advisory,  which  will  displace  the 
TCAS. 

The  following  sections  evaluate  the  fraction  of  encounters  that 
fall  into  this  region,  and  estimate  the  probability  that  an 
intruder  will  also  make  the  adverse  maneuver. 
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FIGURE  4-17 

SUSCEPTIBILITY  OF  TCAS  TO  FAKE-OUT 


4.3.3  Probability  of  Potential  Fake-Out  Scenarios 
The  previous  discussion  used  Figure  4-17  to  identify  the 
combination  of  relative  altitude  and  altitude  rate  which  form 
potential  fake-out  scenarios.  An  important  consideration  is 
that  all  points  on  that  figure  do  not  occur  with  equal 
frequency.  The  environmental  data  will  be  used  to  determine  a 
probability  for  the  critical  region. 

Altitude  rate  data  was  categorized.  Both  in  Piedmont  data  and 
FAA  data,  level  tracks  accounted  for  about  60  percent  of  all 
tracks.  Of  Piedmont  tracks  which  generated  advisories,  about 
70  percent  were  catagorized  as  level  (less  than  480  feet  per 
minute),  indicating  that  the  use  of  all  tracks  is  representa¬ 
tive  of  advisories.  The  first  two  columns  of  Table  4-6  show 
vertical  rate  classifications  (divided  at  480  feet  per  minute 
intervals)  and  the  frequency  of  such  tracks  in  the  Piedmont 
data  for  all  tracks.  These  frequencies  sum  to  1.0  (100 
percent).  The  fraction  of  resolution  advisories  with  altitude¬ 
crossing  sense  is  calculated  by  integrating  over  the  altitude¬ 
crossing  region  (6A)  the  joint  probability  density  function  for 
a  track's  relative  altitude  and  altitude  rate;  then  dividing 
this  by  the  corresponding  integral  taken  over  all  regions 
giving  resolution  advisories  (all  regions  except  1,  3,  and  7). 

P(alt.  crossing  advisory | advisory) 

_  ,/p(alt,  alt  rate)  d(alt)  d(alt  rate) 
yp(alt,  alt  rate)  d  (alt)  d  (alt  rate) 
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TABLE  4-6 

CALCULATION  OF  NMAC  FROM  MANEUVERING  INTRUDER 


TOTAL  I  1.0  I  .017  II  III  .00270 


The  integral  in  the  numerator  is  taken  over  region  6.  The 
integral  in  the  denominator  is  taken  over  regions  2,  4,  5,  and 
6. 


This  can  be  approximated  by  calculating  the  area  of  horizontal 
strips  in  the  plane  of  Figure  4-17,  where  the  area  of  each 
strip  is  weighted  by  the  frequency  of  the  vertical  rate 
corresponding  to  each  strip.  As  noted  earlier,  flight  data 
indicates  a  uniform  distribution  in  relative  altitude  to  some 
cutoff  point.  This  will  be  approximated  as  uniform  over  the 
entire  range  of  altitudes  for  which  a  resolution  advisory  is 
given.  This  approximation  simplifies  the  mathematical 
tractability  of  the  calculation.  It  will  also  be  assumed  that 
relative  altitude  and  threat's  altitude  rate  are  independent. 
The  equation  then  simplifies  to: 

P(alt.  crossing  advisory | advisory ) 

=  \  '  width  (alt,  crossing  regions)  x  p(rate) 

/  j  width  (all  advisory  regions) 
all  rates 

-  .14 


Observing  that  the  high  proportion  of  level  encounters  accounts 
for  over  1/4  of  this  result,  and  that  the  TCAS  tracker  treats 
very  low  rates  as  level,  the  actual  probability  of  altitude 
crossing  sense  should  be  between  .10  and  .14. 

This  calculation,  made  for  all  tracks,  is  consistent  with  an 
examination  of  individual  advisories  in  the  Piedmont  data  for 
which  TCAS  was  level  and  the  intruder  was  non-level.  Fourteen 
percent  of  such  advisories  (mostly  Traffic  Advisories)  were 
projected  to  cross  in  altitude  (Section  3. 2. 1.3). 


Of  the  scenarios  in  region  6,  only  those  in  region  6A  would 
produce  a  positive  advisory  that  could  lead  to  an  NMAC  if  the 
intruder  maneuvered.  Forming  an  expression  similar  to  that 
above,  but  with  the  numerator  restricted  to  region  6A, 

P(potential  _  V"''  width  (region  6A) _  ,  % 

NMAC  I  advisory)  /  >  width  (all  advisory  regions)  x  P^ra  e 

all  rates 

the  results  are  tabulated  in  the  third  column  of  Table  4-6. 

The  low  rates  are  not  considered  part  of  region  6A,  thus  their 
contribution  is  zero.  The  total  of  this  column  is  .017.  Thus, 
1.7  percent  of  all  encounters  could  potentially  be  fake-out 
scenarios  if  the  intruder  levels  out  at  the  wrong  time.  To  be 
conservative,  this  calculation  neglects  tailchase  geometries 
(Region  7),  which  would  lower  the  overall  percentage  if 
considered. 

4.3.4  Probability  of  Adverse  Maneuver 

The  potential  fake-out  scenarios  identified  in  the  previous 
section  are  only  hazardous  when  the  intruder  executes  an 
adverse  maneuver  during  a  limited  interval  of  time.  The  next 
step  in  the  analysis  estimates  the  frequency  for  which  this 
will  occur.  The  Piedmont  data  does  not  contain  any 
altitude-crossing  Resolution  Advisories,  and  contains  only  3 
altitude-crossing  Traffic  Advisories.  Therefore,  the  estimate 
will  be  made  from  the  dynamics  of  all  traffic  observed,  with 
the  possibility  noted  that  this  may  not  account  for  differences 
when  the  aircraft  fly  close  together. 

Figure  4-18  is  a  histogram  giving  a  breakdown  of  all  valid 
Piedmont  tracks  in  three  groups:  "L"  denotes  always  level,  ”R” 


FIGURE  4-18 

PROBABILITY  OF  ACCELERATION  HISTOGRAM 


denotes  a  constant  vertical  rate;  "A"  denotes  a  change  in  rate 
of  8  ft/sec  or  more.  The  tracks  are  tabulated  by  track  length, 
since  the  probability  of  maneuver  should  increase  over  a  longer 
time  sample.  It  should  be  noted  that  the  distribution  of  track 
lengths  is  mainly  determined  by  the  tape  recording  algorithm, 
and  bears  little  relation  to  surveillance  track  lengths. 

Observe  from  this  figure  that  accelerations  form  a  high 
proportion  of  tracks  with  vertical  rates  (the  ratio  of  A  to 
(A+R)).  Thus,  ignoring  the  level  tracks  (L),  accelerations  are 
seen  in  75  percent  of  the  shorter  tracks,  and  increase  with 
track  length  to  100  percent  (no  long  "R”  tracks).  This 
behavior  suggests  a  Poisson  probability  distribution  of  the 
vertical  acceleration  "event",  given  an  initial  vertical  rate. 
Since  the  longer  tracks  may  contain  more  than  one  acceleration, 
which  was  not  counted  in  the  sampling  program,  the  shorter 
tracks  were  used  to  evaluate  the  Poisson  parameter.  The 
resulting  model  is; 

Prob.  (acceleration  in  T  seconds,  given  an  initial  rate) 

=  1  -exp(-.036  T) 


This  formula  is  needed  since  for  any  level-off  maneuver  there 
is  a  specific  time  window  causing  the  final  altitude  to  be  a 
potential  NMAC  (see  Figure  4-19).  For  each  vertical  rate  in 
Table  4-6,  the  time  windows  were  calculated  corresponding  to: 
a)  no  maneuver  before  reaching  the  critical  altitude;  and  b)  a 
maneuver  at  the  critical  altitude,  plus  or  minus  100  ft.  These 
intervals  and  their  probabilities  from  the  Poisson  model  are 
also  shown  in  Table  4-6.  These  are  multiplied  by  the 
probability  of  the  potential  NMAC  scenario  to  produce  the 


FIGURE  4-19 

EXAMPLE  OF  POTENTIAL  FAKE-OUT  SCENARIO 


probability  of  an  NMAC  in  the  last  column.  This  column  sums  to 
.00270. 

This  result  should  serve  as  an  upper  bound  to  the  actual  NMAC 
figure  for  several  reasons: 

1.  The  calculation  assumes  that  the  maneuver  is  of  the 
worst  direction  and  magnitude,  that  is,  level-off. 

Data  shows  that  maneuvers  may  be  in  either  direction. 
For  Piedmont  intruders  (Advisories)  with  vertical 
rates  (not  necessarily  in  crossovers),  23  decreased 
f^eir  rate  or  reversed  their  direction;  17  increased 
their  rate;  and  4  maintained  their  rate.  Of 
crossovers,  9  maneuvered  to  reinforce  the  crossover;  4 
maneuvered  to  prevent  the  crossover;  and  1  maneuvered 
both  ways.  Thus  it  is  not  indicated  that  all 
maneuvers  are  adverse. 

2.  For  the  case  of  TCAS-II  equipped  threats,  an  adverse 
maneuver  should  never  occur,  since  both  pilots  receive 
coordinated  Resolution  Advisories. 

3.  The  probability  of  intruder  maneuver  may  be  high  by  as 
much  as  a  factor  of  2.  The  "accelerating"  tracks  on 
the  Piedmont  tapes  included  level-to-rate 
accelerations  as  well  as  rate-to-level  accelerations. 
These  categories  were  not  counted  separately  when  the 
tapes  were  analyzed.  If  the  proportions  were 
consistent  with  the  database  used  in  the  profile 
segment  study  (Section  3.3.3),  the  maneuver  hazard 
would  be  half  the  value  derived  above. 


A. 3. 5  Additional  Observations 

The  analysis  given  above  has  been  concerned  with  level-off 
maneuvers  near  TCAS'  final  altitude,  i.e.,  about  500  ft  away. 
For  several  reasons,  a  level-off  maneuver  1000  ft  from  TCAS  is 
much  less  likely  to  lead  to  an  NMAC.  First,  the  intruder  must 
have  a  rate  greater  than  2000  fpm  near  the  assigned  altitude  to 
induce  this  sense  choice.  (Table  3-7  indicates  this 
probability  is  much  less  than  10  percent.)  Second,  the 
advisory  time  (TAU  threshold)  does  not  provide  sufficient  time 
for  TCAS  to  displace  1000  ft  with  a  standard  maneuver.  Third, 
the  "Advisory  Not-OK”  indication  should  give  the  TCAS  pilot 
more  time  to  moderate  or  stop  the  wrong-way  maneuver  than  in 
encounters  with  500  ft  separation.  Thus,  for  flight  in 
airspace  where  1000  ft  separation  is  the  normal  procedure  (e.g. 
in  IMC),  the  Risk  Ratio  caused  by  a  maneuvering  intruder  is 
expected  to  decrease  from  about  .003  by  about  two  orders  of 
magnitude. 

Since  any  fake-out  is  a  relatively  abrupt  maneuver,  the 
Airman's  Information  Manual  was  examined  for  its  procedure  on 
following  ATC  clearances.  This  manual  provides  guidance  only, 
and  is  used  primarily  by  General  Aviation  pilots.  The  manual 
advises  a  pilot  to  reduce  vertical  rate  to  500  fpm  during  the 
last  1000  ft  of  altitude  transition  to  a  new  altitude 
clearance.  If  this  procedure  were  followed  by  an  intruder 
leveling  500  ft  or  more  away  from  TCAS,  the  altitude-crossing 
sense  would  be  even  less  frequent.  It  appears  that  fake-out 
maneuvers  would  be  quite  rare  if  most  aircraft  attempted  to  use 
this  procedure. 


In  the  event  of  a  fake-out  maneuver,  TCAS  gives  the  pilot  an 
"Advisory  Not-OK"  display  when  tracker  firmness  regains  high 
confidence,  unless  TCAS  is  projected  to  clear  the  threat  by  at 
least  100  feet.  The  time  of  such  an  advisory  is  greatly 
variable.  For  the  case  of  a  high  initial  rate  and  high 
acceleration,  the  pilot  may  receive  10  seconds  warning.  For 
lower  rates  or  accelerations,  very  little  warning  time  may  be 
given.  In  any  event,  the  Traffic  Advisory  is  updated  each 
second  throughout  the  encounter  to  assist  the  pilot  in 
monitoring  intruder  altitude  and  rate  (using  the  rate  arrow  on 
the  TA  display).  The  analysis  does  not  take  credit  for  the 
benefits  that  may  be  ascribed  to  these  features. 

Finally,  this  study  does  not  quantitatively  evaluate  the 
crosslink  message  sent  by  TCAS-II  to  TCAS-I.  As  with  all  Mode 
S  communications,  the  physical  link  has  a  very  high  degree  of 
integrity.  The  crosslink  is  intended  to  help  the  TCAS-I  pilot 
visually  acquire  the  TCAS  II,  and  thereby  assist  in  maintaining 
safe  separation. 


•/  - 


4.3.6  Summary  of  Effects  of  Maneuvering  Intruders 
The  bound  on  a  proximate  maneuvering  intruder  inducing  an  NMAC 
was  given  as  .0027.  This  can  be  roughly  converted  to  Risk 
Ratio  by  multiplying  the  result  by  10,  because  there  are  about 
10  times  as  many  proximate  encounters  as  critical  NMACs  (as 
noted  in  Section  3).  That  is,  if  maneuvering  intruder  problems 
were  the  only  failure  mechanisms,  TCAS  would  have  a  residue  of 
about  2.7  percent  of  the  present  NMACs. 

In  Appendix  C  an  estimate  was  made  of  the  probability  of  a 
fake-out  maneuver  leading  to  an  NMAC,  using  a  different  method 


4-46 


•  -  * 
!%-»  *-*  ' 


and  a  different  data  base.  This  estimate  was  5.70  x  10  , 

given  a  proximate  encounter.  To  place  those  results  on  the 
same  basis  as  the  ones  in  this  section,  we  merely  remove  the 
horizontal  separation  criterion  from  Table  C-l  (.0005;  an  NMAC 
already  has  close  horizontal  proximity);  then  we  apply  the  same 
times  10  vertical  factor  to  relate  it  to  the  present  NMACs. 

The  result  is  (5.70  x  10  ^  /  .0005)  x  10  =  .0114  =  1.1 
percent.  The  two  estimates  are  quite  close. 


ANALYSIS  OF  PRINCIPAL  TCAS  FAILURE  MECHANISMS 
The  preceding  section  treated  external  factors  that  could 
degrade  the  desired  results  of  TCAS;  this  section  analyzes 
internal  factors.  These  factors  are  related  to  the 
surveillance  function  of  TCAS,  persistent  bit  errors  in  the 
intruder’s  reply  of  altitude,  and  various  combinations  of 
failures  in  the  avionics  of  either  aircraft. 

5.1  Surveillance-related  Faults 

Imperfections  in  the  tracks  produced  by  the  air-to-air 
surveillance  subsystem  of  TCAS  II  can  affect  the  information 
presented  to  the  threat  detection  and  resolution  algorithms. 

The  following  sections  classify  the  effects  and  mechanisms  that 
are  possible,  and  then  provide  estimates  of  the  frequencies  of 
occurrence. 

5.1.1  Types  of  Surveillance  Imperfections 

There  are  four  types  of  surveillance  imperfections  that  may 
affect  the  system: 

•  Misses 

•  False  tracks 


•  Location  errors 

•  Track  number  changes 

A  miss  is  the  event  that  an  aircraft  exists  in  the  vicinity  of 
the  TCAS  II-equipped  aircraft,  and  yet  there  is  no  surveillance 
track  corresponding  to  that  aircraft  at  that  time.  Such  an 
event  can  be  caused  by,  for  example,  a  fade  in  received  power. 


which  may  in  turn  be  caused  by  a  dip  in  one  or  both  of  the 
antenna  patterns.  If  the  aircraft  is  near  enough  to  cause  an 
RA  to  be  triggered,  and  if  the  track  is  missing  during  that 
whole  time  period,  then  the  result  will  simply  be  that  no 
advisory  is  produced.  It  is  also  possible  for  the  track  to 
start  late,  in  which  case  the  effect  is  a  late  advisory, 
leaving  less  time  for  pilot  and  aircraft  reaction.  The  other 
possibility  is  that  the  track  exists  at  the  time  the  RA  is 
triggered  but  is  dropped  later,  which  may  cause  the  pilot 
display  to  go  blank  before  the  resolution  is  complete. 

A  false  track  is  a  track  that  does  not  correspond  to  any  real 
aircraft.  In  Mode  S  surveillance,  false  tracks  do  not  occur 
(because  of  the  discrete  addressed  interrogations).  In  Mode  C, 
however,  false  tracks  are  possible.  The  main  mechanism  causing 
false  tracks  in  Mode  C  is  multipath.  Multipath  connotes  radio 
reflections  from  the  ground  or  ocean  over  which  the  aircraft 
are  flying.  There  are  other  mechanisms  that  can  cause  false 
tracks,  and  it  is  physically  possible  for  an  RA  to  be  triggered 
by  a  false  track  at  a  time  when  there  is  no  aircraft  close 
enough  to  trigger  an  RA.  In  the  event  that  a  false  track  is 
within  the  threat  volume  at  a  time  when  an  aircraft  is  also 
within  the  threat  volume,  the  false  track  may  have  the  effect 
of  modifying  the  displayed  RA  relative  to  what  would  have  been 
displayed  in  the  absence  of  the  false  track.  The  other 
possibility  is  that  a  false  track  and  a  real  track  are  both 
within  the  threat  volume  at  the  same  time,  and  yet  the 
displayed  RA  is  not  changed  in  any  way  by  the  presence  of  the 
false  track. 

Location  errors  in  both  range  and  altitude  have  been  noted 
occasionally  in  TCAS  surveillance  data  and  could  conceivably 
have  some  effect  on  RAs.  A  location  error  is  a  condition  in 
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which  a  track  exists,  corresponding  to  an  aircraft  in  the 
vicinity,  but  the  tracked  location  differs  from  the  location  of 
the  aircraft  by  an  amount  that  is  large  relative  to  normal 
surveillance  accuracy.  Location  errors  in  range  may  be  a 
result  of  multipath  acting  in  combination  with  direct  replies. 
In  a  case  where  both  multipath  replies  and  direct  replies  are 
being  received  and  both  are  intermittent,  the  track  may 
oscillate  back  and  forth  between  the  two  types  of  replies,  thus 
causing  range  deviations.  Location  errors  in  altitude  may 
result  from  bit  declaration  errors  in  the  demodulation  of  the 
received  altitude  code. 

Ordinarily  the  track  number  of  a  surveillance  track  is  a 
constant  for  the  duration  of  an  encounter.  This  information  is 
used  by  the  threat  logic  in  the  functions  that  estimate  range 
rate  and  altitude  rate;  the  rate  estimates  for  a  given  track 
are  derived  only  from  data  tagged  with  the  track  number.  Track 
number  changes  have  occasionally  been  observed  in  TCAS 
surveillance  data,  and  thus  some  effect  on  RAs  could 
conceivably  result.  A  track  number  change  may  occur  in  a  case 
of  crossing  tracks.  Here,  two  tracks  cross  in  range  (which  is 
very  common)  while  they  are  at  the  same  altitude  (which  is  less 
likely).  The  two  corresponding  aircraft  need  not  be  close  to 
each  other;  they  are  more  likely  far  apart  in  azimuth. 

Crossing  tracks  are  somewhat  rare,  and  in  most  cases  the  track 
numbers  remain  correct  throughout,  but  it  is  possible  for  these 
to  swap. 

5.1.2  Frequency  of  Occurrence 

For  each  of  the  Identified  surveillance  imperfections,  an 
estimate  was  obtained  of  the  frequency  of  occurrence.  Data 
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sets  that  are  appropriate  for  this  purpose  were  obtained  by 
flights  with  special  instrumentation  directed  to  the  collection 
of  surveillance  data.  These  are: 

1.  Airborne  data  recorded  during  1983  subject  pilot 
testing  at  Lincoln  Laboratory.  These  flights  were  in 

a  Cessna  421.  A  TCAS  Experimental  Unit  (TEU)  was  used. 

2.  Airborne  data  recorded  during  the  1982  high  density 
test  program.  Some  of  this  data  is  recorded  in  the 
Los  Angeles  basin  and  some  was  recorded  on  the  East 
Coast.  These  flights  were  in  a  Boeing  727.  A  TEU  was 
used. 

While  the  Piedmont  Phase  I  data  is  useful  in  identifying 
mechanisms  that  may  occur,  this  data  set  and  all  other  data 
sets  obtained  using  BCAS  air-to-air  surveillance  will  not  be 
used  here  because  of  the  significant  changes  between  the 
earlier  BCAS  and  the  TCAS  II  equipment.  For  example,  the 
change  from  4-level  whisper-shout  in  BCAS  to  24-level 
whisper-shout  in  TCAS  II  was  intended  to  reduce  the  frequency 
of  occurrence  of  misses  in  high  density  airspace,  and  may  also 
be  expected  to  affect  the  false  track  rate. 

A  straightforward  way  of  assessing  frequencies  of  occurrence  is 
to  examine  all  cases  in  which  an  RA  was  generated  and  note  the 
fraction  of  cases  in  which  each  type  of  imperfection  occurred. 

To  date  this  has  been  carried  out  for  65  RA  encounters  from 
data  set  (1).  In  61  of  the  encounters,  surveillance 
imperfections  had  no  effect  on  displayed  RAs.  In  three  of  the 
encounters  the  track  was  dropped  near  the  point  of 
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closest  approach.  In  each  such  case  the  track  drop  was 
preceded  by  a  substantial  period  during  which  the  nominal  RA 
was  displayed  (29,  40,  and  54  seconds).  In  the  remaining 
encounter,  an  altitude  error  of  100  ft  occurred  just  as  RA 
sense  was  being  selected.  This  converted  "descend"  into 
"climb.”  The  pilot  considered  this  to  be  the  wrong  way, 
although  the  climb  advisory  would  have  provided  adequate 
vertical  separation  at  CPA.  The  version  of  threat  logic  that 
was  used  in  this  flight  was,  however,  significantly  different 
in  its  reaction  to  this  condition  relative  to  the  threat  logic 
in  its  current  form.  The  current  form  of  threat  logic  would 
have  reacted  with  a  "descend"  RA.  Thus  for  the  entire  set  of 
65  encounters  analyzed,  in  no  case  did  the  surveillance  data 
cause  an  incorrect  RA  (based  on  the  current  form  of  threat 
logic). 

These  results  are  encouraging.  Although  they  do  not  provide 
detailed  estimates  of  frequencies  of  occurrence,  they  do 
indicate  that  the  values  are  small. 

Less  straightforward  ways  of  analyzing  airborne  data  may  be 
useful  in  obtaining  rate  estimates  by  extrapolation.  A  study 
has  been  conducted  of  the  Los  Angeles  basin  portion  of  data  set 
(2)  to  estimate  the  miss  rate  for  closing  rates  of  500  knots  in 
high  density  airspace.  Although  there  were  no  500  knot 
encounters  in  the  data,  the  study  was  done  by  focusing  on  the 
range  at  which  surveillance  would  be  required  for  a  500  knot 
encounter,  about  4.5  nmi.  The  result  for  the  probability  of 
having  the  aircraft  in  track  early  enough  to  trigger  the  RA, 
including  a  portion  of  lead-in  track  to  provide  for  accurate 
estimates  of  range  rate  and  altitude  rate,  is  95  percent. 
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This  is  a  conditional  probability,  based  on  the  following: 

•  Flying  in  airspace  of  high  aircraft  density 

•  Closing  rate  of  500  knots 

The  more  typical,  or  unconditional,  performance  is  expected  to 
be  somewhat  better,  about  97  percent.  Likewise,  the  typical 
probability  of  having  the  aircraft  in  track  at  the  time  of  the 
TA  is  94  percent.  Stated  differently,  the  probability  of  not 
having  the  aircraft  in  track  by  the  time  of  the  TA  is  .06,  and 
by  the  time  of  the  RA  is  .03. 

Quantitative  estimates  of  the  frequencies  of  occurrence  in  the 
other  three  categories  must  be  arrived  at  through  judgments 
based  on  experience  with  airborne  data  which  includes  BCAS 
data.  An  estimate  of  the  rate  of  false  tracks  is  less  than  3 
percent.  (From  a  study  of  airborne  flight  data,  occasional 
brief  false  tracks  occurred  at  a  rate  of  1.1  percent  for  the 
directional  system  and  1.9  percent  for  the  omnidirectional 
system.)  That  is,  among  all  RA  encounters  less  than  3  percent 
will  be  affected  by  a  false  track.  In  the  majority  of  these 
cases  (perhaps  9  out  of  10)  the  modified  RA  will  still  provide 
for  separation  from  the  aircraft  causing  the  RA  and  will  be 
safe.  Location  errors  and  track  number  changes  that  affect  RAs 
are  believed  to  be  less  frequent.  A  value  of  1  percent  can  be 
taken  as  a  pessimistic  estimate  of  the  frequency  of  occurrence 
of  both  classes  together.  Again,  when  these  effects  occur  they 
typically  result  in  an  RA  that  provides  for  separation  from  the 
aircraft  in  the  vicinity. 
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5.2  Mode  C  Bit  Failure 


TCAS  uses  transported  Mode  C  data,  updated  once  a  second, 
obtained  from  the  aircraft  under  surveillance  to  determine  its 
altitude.  Errors  in  encoding  the  altitude  will  introduce 
errors  in  subsequent  results. 

This  section  will  investigate  the  impact  of  a  persistent 
encoder  bit  failure  on  TCAS  resolution  performance.  Particular 
emphasis  will  be  placed  on  errors  which  will  cause  TCAS  to 
create  a  hazardous  situation.  Using  recorded  surveillance  data 
collected  on  TCAS  test  flights  and  at  the  NASA  facility  at 
Wallops  Island,  Virginia,  empirical  estimates  of  the  occurrence 
of  Mode  C  bit  errors  are  made. 

5.2.1  Mode  C  Altitude  Encoding  and  C-Blt  Errors 
The  ability  of  TCAS  to  accurately  track  aircraft  in  the 
vertical  dimension  is  dependent  upon  consistent  and  accurate 
Mode  C  data.  This  information  is  encoded  by  a  transponder  and 
transmitted  in  Gilham  code,  often  referred  to  as  modified  Gray 
code.  Modified  Gray  code  has  the  property  that  only  one  bit 
changes  between  the  representation  of  any  two  adjacent  altitude 
levels.  The  code  is  represented  by  12  bits  or  pulses 
transmitted  from  left  to  right  as  follows: 

Cl  A1  C2  A2  C4  A4  B1  D1  B2  D2  B4  D4 

The  D1  bit  is  not  used  for  altitude  encoding.  The  eight  bits 
which  occupy  pulse  positions  D2,  D4,  Al,  A2,  A4,  Bl,  B2,  and 
B4,  encode  the  altitude  in  500  ft  stages.  By  the  addition  of 
another  three  pulses  Cl,  C2,  and  C4,  which  represent  another 
cyclic  binary  code,  fine  coding  in  100  ft  intervals  is  achieved. 


Errors  in  the  tracked  aircraft's  altitude  track  can  be  due  to 
several  causes;  this  section  will  deal  only  with  the  "stuck 
bit"  error  problem  in  the  low  order  bits  (the  C  pulses).  The  C 
bits  cycle  the  most  rapidly,  identifying  the  aircraft's  100  ft 
level  within  each  500  ft  altitude  bin,  defined  by  the  high 
order  bits.  Errors  in  the  higher  order  bits  result  in  large 
errors  (500  ft  or  larger)  and  will  normally  be  detected  by  ATC, 
which  will  direct  that  the  Mode  C  of  the  malfunctioning 
transponder  be  turned  off.  Also,  for  any  threat  with  a  high 
order  bit  error,  the  resulting  large  jumps  in  reported  altitude 
will  be  rejected  by  the  TCAS  altitude  credibility  test.  Errors 
in  the  low  order  bits,  however,  may  go  undetected  by  ATC,  and, 
although  those  errors  do  not  produce  large  differences  between 
reported  and  true  flight  levels,  they  can  produce  significant 
errors  in  the  position  projections  performed  by  TCAS. 

5.2.2  Properties  of  C-Bit  Errors 

A  Karnaugh  map  representation  of  the  C-bit  coding  is  provided 
in  Table  5-1.  Although  there  are  eight  possible  states  for  the 
3  C-bits,  only  five  of  these  states  are  used.  The  remaining 
three  unused  states  are  referred  to  as  illegal  states.  They 
correspond  to  Cl  C2  C4  =  000,  101,  and  111,  Each  1000  foot 
altitude  interval  contains  the  same  sequence  of  C-bits.  Higher 
order  bits  change  between  altitude  levels  which  end  in  200-300 
and  700-800. 

Table  5-2  provides  a  description  of  the  possible  single-bit 
errors  in  the  C-bits.  Bit  errors  of  +C1,  +C2,  +C4  refer  to  the 
Cl,  C2,  or  C4  bits,  respectively,  always  set  to  one;  -Cl,  -C2, 
-C4  denote  the  same  bits  always  set  to  zero.  When  the  subject 
bit  should  have  the  opposite  value,  a  bit  error  results.  The 
next  ten  columns  in  Table  5-2  show  the  sequence  of  altitudes 


Karnaugh  Map  showing  correspondence  of  C-bit  values  with  last  digit  of 
100-foot  altitude  level.  The  three  illegal  states  are  indicated  by  X. 
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that  result  In  the  100  ft  altitude  bins.  For  example,  for  a 
-Cl  error  (no  Cl  pulse),  500  ft  will  be  encoded  when  an 
aircraft  is  at  the  400  ft  bin.  An  "X"  indicates  the  bit  error 
results  in  an  illegal  state  at  that  altitude  bln.  Note  that 
reported  altitudes  increase  monotonically  with  increasing 
actual  altitude. 

The  table  also  shows  discontinuities  in  altitude  bins 
represented;  these  are  gaps  between  legally  occurring  states. 
For  example,  a  400  ft  discontinuity  occurs  for  an  aircraft 
transitioning  from  the  400  ft  bin  to  600  ft  bin  when  there  is  a 
-C2  bit  error  (missing  C2  pulse).  The  Mode  C  reply  shows  300 
ft  when  the  aircraft  is  at  400  ft,  then  shows  an  illegal  state, 
then  shows  700  ft  when  the  aircraft  is  at  600  ft.  Thus,  a  jump 
of  400  ft  between  consecutive  legal  Mode  C  replies  occurs  when 
only  200  ft  have  been  transited.  The  table  also  shows  the 
number  of  missing  levels  (altitude  bins  which  will  never  be 
encoded  for  that  error  type),  number  of  illegal  states,  and 
number  of  bins  which  will  be  encoded  incorrectly.  Table  5-3 
shows  the  differences  between  the  altitude  level  intended  and 
the  altitude  level  actually  encoded.  A  ”-1”  indicates  an 
altitude  will  be  shown  which  is  100  ft  below  the  correct 
altitude;  a  "+1"  indicates  that  an  altitude  will  be  shown  which 
is  100  ft  above  the  correct  altitude.  There  is  no  C-bit  error 
which  will  result  in  greater  than  100  ft  error  in  represented 
altitude. 

It  is  seen  that  the  only  error  type  which  results  in  a 
discontinuity  between  adjacent  actual  altitude  levels  (that  is, 
with  no  illegal  state  within  the  discontinuity)  is  +C2.  For 
this  error,  the  encoded  value  jumps  from  a  level  ending  in  100 
to  a  level  ending  in  400  when  the  actual  level  transition  is 
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TABLE  5-3 

ERRORS  (x  100  ft)  ASSOCIATED  WITH  GIVEN  C-BIT  ERROR 


X  **  Illegal  Code  Reported 
-Cl  =  Ci  bit  always  set  to  zero 
+Ci  =  Ci  bit  always  set  to  one 


200  to  300.  For  error  types  other  than  +C2,  discontinuities 
between  encoded  altitudes  contain  illegal  states  between  the 
legally  encoded  levels.  The  discontinuities  for  these  error 
types  may  be  400,  500  or  700  feet. 

It  is  possible  to  use  Table  5-2  to  determine  the  type  of  bit 
error  which  may  be  responsible  for  a  particular  reporting 
anomaly.  For  instance,  suppose  that  when  sequence  number  0  was 
expected,  sequence  number  1  occurred.  From  Table  5-2  it  is 
seen  that  a  +C1  error  is  the  only  single-bit  C-bit  error  which 
could  produce  this  conversion.  By  tabulating  the  types  of 
C-bit  conversions  which  occur  for  an  observed  track,  the  nature 
of  any  persistent  single-bit  C-bit  errors  can  be  deduced. 

5.2.3  Impacts  of  C-Blt  Errors  on  TCAS  Performance 
In  examining  TCAS  data  it  should  be  kept  in  mind  that  altitude 
discontinuities  of  more  than  300  feet  may  result  in  track  coast 
or  track  termination.  Reporting  of  an  illegal  altitude  will 
also  result  in  track  coast.  If  reporting  of  an  illegal 
altitude  is  persistent,  then  the  aircraft  may  be  tracked  as  a 
non-Mode  C  aircraft.  In  order  to  fully  evaluate  bit  errors,  it 
is  desirable  to  obtain  from  the  surveillance  software  the 
actual  decoded  altitude  of  each  reply  or  the  specific  type  of 
illegal  reply  received. 

The  primary  concern  with  C-bit  errors  is  their  impact  on  TCAS' 
ability  to  maintain  track  and  to  track  accurately,  such  that 
the  collision  avoidance  function  is  not  impaired.  C-bit  errors 
have  little  impact  on  TCAS'  ability  to  perform  its  role  of 
collision  avoidance  when  the  aircraft  with  the  "stuck  bit"  is 
in  level  flight.  The  impact  of  a  C-bit  error  on  the  TCAS 
tracking  of  an  aircraft  in  level  flight  is  dependent  upon  the 


assigned  flight  level  and  the  adherence  of  the  aircraft  to  the 
assigned  altitude.  Normally,  aircraft  are  assigned  altitudes 
ending  in  000  if  IFR  and  500  if  VFR.  Tables  5-4  and  5-5  show 
the  impact  of  C-bit  errors  on  transponded  altitude  for  aircraft 
assigned  to  these  flight  levels.  The  second  and  third  columns 
in  each  table  show  the  percentage  and  magnitude  of  deviations 
from  assigned  flight  levels  typically  encountered,  the 
percentages  are  taken  from  Reference  33.  Note  that  the  impact 
of  C-bit  errors  can  easily  be  computed  for  any  assigned  flight 
level  by  shifting  columns  2  and  3  to  the  desired  true  altitude 
and  summing  the  proportions  in  column  3  over  each  condition  in 
the  C-bit  error  columns  (0=good  report,  l*report  in  error  by 
100  feet,  Xscoast  received).  In  this  way,  allowance  could  be 
made  for  nonstandard  pressure,  where  an  assigned  flight  level 
corresponds  to  a  different  transponded  altitude.  Since 
aircraft  transponded  altitudes  are  always  determined  relative 
to  standard  pressure,  this  analysis  pertains  only  to  C-bit 
Induced  tracking  problems.  It  is  assumed  that  the  frequency  of 
deviations  about  an  assigned  altitude  is  not  any  larger  at  the 
lower  altitudes;  however,  for  a  worst  case  condition  Table  5-6 
presents  the  Impact  of  C-bit  errors  on  level  flight  tracking, 
assuming  deviations  follow  a  uniform  distribution.  It  is 
assumed  that  the  frequency  of  deviations  will  not  be  any  larger 
at  the  lower  altitudes.  The  distribution  does  not  account  for 
the  time  correlation  of  successive  deviations. 

Although  tracking  level  aircraft  with  C-bit  errors  poses  no 
problem  with  the  TCAS  tracking  algorithm,  there  is  the  strong 
possibility  that  a  Mode  C  track  would  not  be  formed  for 
aircraft  with  a  persistent  error  in  the  C2  bit.  A  -C2  bit 
error  and  +C2  bit  error,  depending  on  assigned  altitude  (000  or 
500),  would  result  in  a  coast  approximately  71  percent  of  the 
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TABLE  5-4 

IMPACT  OF  C-BIT  ERRORS:  LEVEL  FLIGHT  -  1000*  ASSIGNED  ALTITUDE 


time  since  the  assigned  altitude  is  an  illegal  code  for  these 
C-bit  errors.  These  tracks  would  then  be  designated  as 
"altitude  unknown." 

Aircraft  which  have  a  stuck  C  bit  and  which  have  vertical  rates 
do  pose  a  tracking  problem  for  the  TCAS  tracking  algorithm. 

This  problem  cannot  be  remedied  by  a  simple  algorithm 
modification.  Figure  5-1  shows  the  impact  on  tracking  that 
would  occur  for  an  aircraft  at  various  vertical  rates  with  a 
-C2  bit  error.  Only  scans  with  "firmness"  value  greater  than 
or  equal  to  2  were  used  since  sense  selection  is  made  only  with 
these  values.  The  magnitude  of  the  projection  errors  varies 
with  aircraft  rate  and  type  of  error;  however,  the  central 
theme  is  that  the  projection  errors  can  be  large  in  the 
presence  of  C-bit  errors. 

A  simulation  model  was  used  to  estimate  the  impact  of  C-bit 
errors  on  vertical  rate  projections  by  TCAS.  Aircraft  were 
simulated  and  tracked  with  vertical  rates  of  500  fpm,  2000  fpm, 
4000  fpm,  and  the  six  types  of  bit  errors.  The  number  of 
observations  for  which  the  track  retained  high  firmness  were 
counted.  Osing  the  nominal  30  second  projection  employed  by 
the  collision  avoidance  logic,  the  magnitude  of  the  errors 
associated  with  a  given  C-bit  error  were  counted  to  determine 
the  percentage  which  were  in  excess  of  300  ft.  In  Table  5-7 
the  results  are  given  for  the  three  vertical  rates.  The  two 
columns  under  each  vertical  rate  represent  the  proportion  of 
time  the  rate  estimate  was  considered  adequate  for  resolution 
(firmness  greater  than  or  equal  to  2)  and  the  percentage  of 
time  the  error  in  the  rate  estimate  would  cause  the  vertical 
projection  error  to  exceed  the  anticipated  maneuver 
displacement  of  TCAS.  For  example,  given  a  +C2  bit  error  and  a 


4000  ft/min. 


FIGURE  5-1 

PROJECTION  RATE  ERRORS  WITH 
-C2  BIT  ERROR 


500  ft  per  minute  vertical  rate,  55  percent  of  the  time  the 
rate  estimate  would  have  been  declared  adequate  for  sense 
selection.  For  these  cases,  where  it  was  adequate  for  sense 
selection,  27  percent  of  the  time  the  projection  error  would 
have  exceeded  300  feet.  Overall,  15  percent  (27  percent  X  55 
percent)  of  the  time  the  vertical  projection  error  would  have 
exceeded  300  feet.  Assuming  all  C-bit  errors  are  equally 
likely,  the  overall  probability  of  C-bit  errors  causing  the 
vertical  projection  error  to  exceed  300  ft  is  also  presented  on 
Table  5-7. 

The  illegal  codes  resulting  from  C-bit  errors  would  also  affect 
the  ability  of  TCAS  to  maintain  track  continuity  on  aircraft 
with  vertical  tracks.  The  actual  sequence  of  track  drops  and 
reinitializations  of  the  same  track  are  dependent  upon  the 
aircraft  vertical  rate,  coast  count  required  to  drop  track, 
number  of  reports  required  to  initiate  a  track,  and  type  of 
C-bit  error  present.  Low  vertical  rates  would  obviously  result 
in  longer  coast  periods  since  the  aircraft  would  be  in  altitude 
bins  which  result  in  illegal  codes  for  longer  periods  of  time. 
Table  5-8  shows  the  vertical  rates  below  which  a  specified 
number  of  illegal  codes  (resulting  in  coasts)  occur. 

5.2.4  Frequency  of  C-Bit  Errors 

Since  the  problem  of  C-bit  errors  can  adversely  affect  the  TCAS 
role  of  collision  avoidance,  an  effort  was  made  to  estimate  how 
frequently  C-bit  errors  occur. 

In  order  to  detect  C-bit  errors  it  is  necessary  to  examine  the 
Mode  C  patterns  of  vertical  tracks  and  match  with  Mode  C 
patterns  representative  of  the  various  C-bit  errors  as  shown  in 
Table  5-3.  The  reliability  of  this  method  Is  dependent  upon 


the  number  of  100  ft  levels  visited  by  the  aircraft  (altitude 
change),  the  number  of  Mode  C  observations  at  each  level 
(vertical  rate) ,  and  the  ability  to  determine  the  correct  Mode 
C  reply  (known  true  position  of  the  aircraft).  Therefore,  it 
is  desirable  to  examine  vertical  profiles  which  visit  all  100 
ft  levels  and  have  a  high  Mode  C  update  rate  to  ensure  data  is 
collected  on  all  100  ft  levels  visited  by  the  aircraft.  It  is 
also  desirable  to  have  a  reference  altitude  profile  for 
accurate  determination  of  the  true  Mode  C  pattern.  It  should 
be  noted  that  any  analysis  of  track  data  for  C-bit  errors  is 
influenced  by  the  surveillance  mechanism  used  in  the  data 
collection  in  terms  of  the  sampling  rate  and  surveillance 
induced  errors  such  as  synchronous  garble  and  multipath. 

The  occurrence  of  C-bit  errors  has  been  detected  by  Gent 
through  the  dynamic  monitoring  of  SSR  Mode  C  data  in  England 
(Reference  34).  Gent  found  persistent  Mode  C  errors  due  to  the 
addition  or  deletion  of  a  single  C  bit  either  "simply”  or 
"conditionally".  By  the  term  "conditionally",  Gent  means  that 
in  certain  cases  the  presence  or  absence  of  a  C-bit  pulse  is 
dependent  upon  the  presence  or  absence  of  another  pulse.  Gent 
concluded  that  there  was  a  persistent  error  rate  of  1.8  percent 
for  aircraft  on  approach  and  .7  percent  for  aircraft  on 
departure.  It  should  also  be  noted  that  Lincoln  Laboratory  has 
found  Mode  C  patterns  indicative  of  C-bit  errors  during  flight 
tests;  however,  no  attempt  was  made  to  determine  the  frequency 
of  occurrence. 

Gent's  analysis  was  conducted  under  certain  limitations.  The 
SSR  has  a  rotation  of  10.8  rpm,  which  corresponds  to  1  flight 
level  Mode  C  update  for  a  vertical  rate  of  1080  ft/min.  For 
vertical  rates  above  1080  ft/min,  Mode  C  data  could  not  be 


collected  on  every  100  ft  level  visited  by  the  aircraft.  Gent 
did  not  have  precision  data  on  the  true  aircraft  track  and 
relied  on  inspection  to  determine  the  true  Mode  C  pattern.  The 
lack  of  persistent  C-bit  errors  (range  dependent  from  the 
radar)  and  the  nature  of  "conditional"  C-bit  errors  in  Gent's 
analysis  lead  to  questions  concerning  the  possibility  of 
multipath  influencing  some  of  the  results.  Multipath  occurs 
when  there  is  an  overlap  of  replies  in  the  bit  pattern  because 
of  reflection  from  the  ground  or  other  structure. 

The  FAA  Technical  Center  has  undertaken  a  brief  study  of  C-bit 
errors  to  determine  their  frequency  of  occurrence.  This 
overcomes  some  of  the  foregoing  limitations  of  Gent's  study. 

The  FAA  Technical  Center  work  is  based  on  the  analysis  of 
existing  TCAS  flight  test  data  and  on  Mode  C  data  versus 
precision  track  data  collected  by  the  NASA/Wallops  Flight 
Facility. 

Although  TCAS  flight  test  data  provides  a  1  second  update  of 
Mode  C  data,  the  track  duration  is  short  (less  than  110 
seconds).  Of  428  vertical  tracks  (46,600  track  seconds),  only 
2  tracks  were  classified  as  having  a  probable  C-bit  error.  In 
one  case  (-C4  bit)  14  out  of  an  expected  16  bin  reports  were 
missing.  In  the  other  case  (+C2  bit)  18  out  of  an  expected  22 
bin  reports  were  missing. 

The  NASA/Wallops  effort  has  yielded  approximately  270  tracks 
for  analysis.  Preliminary  analysis  indicates  no  anomalies  in 
the  100  ft  altitude  patterns  of  vertical  tracks.  One  high 
order  bit  error  in  one  track  was  detected.  ATC  observed  this 
anomaly  and  subsequently  had  the  aircraft  pilot  turn  off  the 
Mode  C.  The  NASA/Wallops  data  has  been  collected,  and  the  data 
is  being  analyzed. 


5-24 


Based  on  analysis  of  surveillance  data  collected  during  TCAS 
flights  and  preliminary  analysis  of  Wallops  Island  data,  the 
percentage  of  aircraft  exhibiting  Mode  C  bit  errors  is 
significantly  smaller  than  the  2  percent  postulated  by  Dr. 
Gent.  Review  of  the  surveillance  data  resulted  in  the 
detection  of  at  most  2  transponders  (0.47  percent)  exhibiting 
Mode  C  bit  error  characteristics.  A  statistical  confidence 
level  can  be  computed  to  account  for  the  finite  sample  size  of 
this  measurement.  Using  a  95  percent  confidence  level,  the 
upper  bound  on  the  fraction  of  aircraft  exhibiting  a  C-bit 
error  is  1.2  percent;  for  99  percent  confidence,  it  is  1.3 
percent.  Preliminary  analysis  of  the  Wallops  Island  data 
detected  only  one  failure  condition  (0.36  percent),  and  that 
was  a  higher  order  bit. 

5.2.5  Conclusions  on  Risk  Ratio  for  C-Bit  Errors 


Using  the  results  of  the  transponder  bit  error  analysis, 
conclusions  about  the  probability  of  TCAS  creating  a  hazardous 
situation  due  to  encoder  bit  failure  can  be  made.  In  addition 
to  a  proximate  encounter,  the  following  factors  apply:  (1)  the 
intruding  aircraft  must  have  a  vertical  rate,  (2)  the  intruding 
aircraft’s  transponder  must  have  a  C-bit  failure,  (3)  the  error 
in  the  projected  vertical  position  caused  by  the  encoder 
failure  must  be  of  sufficient  magnitude,  (4)  the  direction  of 
the  error  in  the  projected  vertical  position  must  be 
detrimental  to  TCAS.  Given  that  a  proximate  encounter 
condition  exists.  Table  5-9  presents  the  probability  that  a 
transponder  bit  failure  would  cause  TCAS  to  create  a  hazardous 
situation.  In  Section  4.1  it  was  shown  that  proximate 
encounters  occur  approximately  1U  times  as  frequently  as  an 
NMAC.  Thus  the  nominal  Risk  Ratio  ascribable  to  a  bit  failure 
is  about  .002. 
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TABLE  5-9 

PROBABILITY  OF  C-BIT  FAILURE  CAUSING  TCAS  TO 
CREATE  A  HAZARDOUS  SITUATION  GIVEN  A  PROXIMATE 
CONDITION  EXISTS 


EVENT 


PROBABILITY 


Intruder  is  not  in  level  flight 


Aircraft  transponder  has  C-bit  error 


C-bit  error  will  cause  at  least  a  300  foot 
error  in  projected  vertical  position 


Error  is  in  direction  detrimental  to  TCAS 
Probability  of  Events 


{ 


0.40 

0. 005  Piedmont 
data 

0.012  Upper  bound 
of  Wallops 
data 

(95%  conf.) 

0.20 


0.50 

2.0  x  10"4 
4. 8  x  10-4  (upper 
bound ) 


Although  higher  order  bit  errors  could  prevent  TCAS  from 
alarming  in  a  true  threat  situation,  the  higher  order  bit 
failure  would  not  cause  TCAS  to  create  a  hazardous  situation. 
B-bit  and  higher  order  bits  would  cause  large  errors,  which 
could  easily  be  detected  by  ATC.  Except  for  B4  bit  failures, 
the  higher  order  bits  would  cause  such  large  bias  in  relative 
altitude  that  TCAS  could  not  maneuver  into  the  airspace 
occupied  by  the  aircraft.  B-bit  failures  for  aircraft  with 
vertical  rates  would  cause  large  jumps  in  altitude  resulting  in 
surveillance  coasting.  This  would  result  in  a  high  fraction  of 
low  confidence  rate  estimates,  which  cannot  be  used  in  sense 
selection. 

Lower  order  (C-bit)  failures  could  lead  to  TCAS  creating  a 
hazardous  situation.  C-bit  failures  for  aircraft  with  vertical 
rates  could  adversely  affect  the  ability  of  the  TCAS  tracker  to 
accurately  predict  position,  thereby  resulting  in  potential 
sense  selection  and  command  magnitude  errors.  C-bit  failures 
for  aircraft  in  level  flight  result  in  at  most  a  100  foot 
translation  in  the  transponded  Mode  C  altitude.  This  fact  in 
itself  would  cause  no  problem  for  TCAS.  Certain  types  of  C  bit 
errors  (especially  -C2)  would  cause  an  increase  in  the  coast 
rates  for  Intruders  at  the  standard  level  flight  altitudes. 

The  probability  of  missed  RA  for  an  NMAC  encounter  is  presented 
in  Table  5-10.  This  calculation  assumes  all  C-bit  errors  are 
equally  likely.  Depending  on  the  details  of  the  TCAS 
Implementation,  TCAS  might  still  give  the  pilot  an  "altitude 
unknown"  Traffic  Advisory  for  this  case. 
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5.3  Equipment  Failure 

Equipment  failure  may  impact  either  of  the  two  principal  types 
of  TCAS  failures  discussed  in  this  report.  The  first  is  failure 
to  resolve  an  NMAC.  Any  reasonably  reliable  equipment  will 
have  no  appreciable  effect  on  this  probability. 

The  second  type  is  the  induced  NMAC.  The  principal  concern  is 

a  specific  equipment  failure  that  causes  an  incorrect  RA,  which 

together  with  a  specific  geometrical  arrangement  of  the 

aircraft  could  lead  to  an  NMAC.  In  Section  4,  it  was  found 

that  altimetry  errors  resulted  in  a  Risk  Ratio  of  about  10  ; 

the  preceding  section  showed  bit  errors  result  in  a  Risk  Ratio 
-3 

near  10  .  In  order  for  equipment  failure  not  to  contribute 

significantly  to  induced  NMACs,  this  cause  of  incorrect  RA 

-4 

should  be  on  the  order  of  10  per  present  NMAC. 

Only  some  failures  can  lead  to  an  incorrect  RA  (see  Appendix 
F) ,  and  only  some  of  these  would  go  undetected  by  the  TCAS 
Performance  Monitor.  Thus,  a  combination  of  reliable 
equipment,  periodic  maintenance,  and  Performance  Monitoring  all 
Influence  the  rate  of  undetected  failures  of  this  type. 
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6.  VISUAL  ACQUISITION 

The  study  assumes  that  if  the  pilot  of  the  TCAS  aircraft 
visually  acquires  a  conflicting  aircraft,  he  will  avoid  it. 

This  section  will  assess  the  TCAS  Traffic  Advisory  as  an 
improvement  to  visual  acquisition.  This  probability  varies 
greatly  with  the  characteristics  of  the  target  aircraft  and 
with  search  conditions.  It  is  usually  insufficient  to  assume  a 
single  number  for  this  probability  for  each  type  of  encounter 
situation.  Fortunately,  a  suitable  model  was  developed  during 
the  analysis  of  test  data  for  the  ATARS  (IPC)  collision 
avoidance  system.  This  model  (see  Reference  35)  allows  the 
effects  of  closing  rate  and  target  size  to  be  taken  into 
account  in  computing  acquisition  probabilities.  The  basic 
assumption  of  the  model  is  that  for  nominal  search  conditions 
(defined  below),  the  acquisition  rate  (i.e.,  the  probability  of 
visual  acquisition  per  unit  time)  is  proportional  to  the 
angular  subtense  of  the  target.  This  assumption  has  been  shown 
to  be  valid  for  visual  acquisition  data  gathered  by  several 
different  experimenters. 

There  are  theoretical  arguments  which  can  be  used  to  extend  the 
model  to  special  cases  (for  example,  to  handle  cases  of  poor 
atmospheric  visibility).  However,  there  is  no  experimental 
validation  of  the  model  under  these  special  conditions,  and 
hence,  the  analysis  which  follows  is  conservative  with  regard 
to  non-nomlnal  cases. 

6.1  The  Visual  Acquisition  Model 

Figure  6-1  depicts  the  functional  relationship  between  various 
factors  which  influence  the  visual  acquisition  rate.  It  can  be 
seen  that  the  visible  area  together  with  the  range  determines 


Aspect 

Angle 


FIGURE  6-1 

FACTORS  INFLUENCING  ACQUISITION  RATE 


the  subtended  solid  angle  of  the  target.  For  a  non-maneuvering 
collision  situation,  the  visible  area  is  constant.  The 
effective  contrast  of  the  target  is  determined  by  the  range, 
the  atmospheric  absorption,  and  the  inherent  contrast  of  the 
target  with  the  background.  The  subtended  solid  angle  and  the 
effective  contrast  together  determine  the  detectability  of  the 
target.  This  detectability  is  related  to  the  angular  proximity 
which  must  exist  between  the  target  and  the  foveal  center  of 
the  pilot's  search  in  order  for  acquisition  to  occur.  Several 
factors  such  as  the  fraction  of  time  devoted  to  visual  search 
and  the  angular  area  over  which  the  search  is  conducted  also 
impact  the  acquisition  rate.  It  is  also  obvious  that  a  target 
must  be  within  the  pilot's  f ield-of-view  in  order  to  be 
acquired.  It  should  be  noted,  however,  that  because  a  traffic 
advisory  stimulates  the  pilot  to  alter  his  position  in  the 
cockpit  to  search  a  particular  direction,  the  effective 
f ield-of-view  of  the  pilot  is  greater  with  traffic  advisories 
than  it  is  without. 

The  principal  mathematical  rel^t  onship  assumed  by  the  model  is 
that  under  nominal  search  cono..  cions  the  acquisition  rate 
(i.e.,  probability  of  acquisition  per  unit  of  time)  is 
proportional  to  the  solid  angle  subtended  by  the  target.  The 
acquisition  rate  can  then  be  written: 

k-  (3  -^2  U) 

r 

where  the  notation  employed  is  provided  in  Table  6-1.  The 
probability  of  no  acquisition  for  search  which  begins  at  time 
t^  before  collision  and  ends  at  time  t2  before  collision  is 
given  by  the  integral  expression 


TABLE  6-1 

NOTATION  EMPLOYED  IN  VISUAL  ACQUISITION  ANALYSIS 


Aircraft  visible  area 

Aircraft  visible  area  when  viewed  head-on  (from  12  o'clock) 

Aircraft  visible  area,  when  viewed  broadside  (from  3 
o'clock) 

Aircraft  visible  area  when  viewed  from  directly  above 


Range  between  aircraft 
Range  rate 


Time  at  which  alerted  search  begins  (seconds  before 
closest  approach) 

Time  at  which  visual  acquisition  must  occur  (seconds 
before  closest  approach) 

Airspeed  of  TCAS  aircraft  (own  aircraft) 

Airspeed  of  intruder  aircraft 

Model  constant  which  relates  acquisition  rate  to  the 
subtended  solid  angle  of  the  target  aircraft 

Acquisition  rate  (instantaneous  probability  of  acquisition 
per  unit  of  time) 

Bearing  of  aircraft  c  as  seen  from  aircraft  1  (degrees 
clockwise  from  the  12  o’clock  position) 

Bearing  of  aircraft  1  as  seen  from  aircraft  _  (degrees 
clockwise  from  the  12  o'clock  position) 

Crossing  angle  (heading  of  aircraft  2  less  heading  of 
aircraft  1) 
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(2) 


P  [No  Acquisition] 


exp 


A/r 


dt) 


This  is  a  special  case  of  a  nonhomogenous  Poisson  process.  If 
one  assumes  that  the  aircraft  are  on  a  non-accelerating 
collision  course,  then  the  range  decreases  at  a  constant  rate 
and  A  is  constant.  Equation  (2)  then  becomes 

Pa  ^i  -  ^2 

P  [No  Acquisition]  “  exp  [-  — *—  — — -  ]  t1  >  t„  (3) 

r  tlt2 

It  can  ie  seen  that  this  expression  takes  the  size  of  the 
target,  the  closing  rate,  and  the  time  of  alerted  search  into 
account  in  explicit  fashion.  Other  factors  must  be  taken  into 
account  by  proper  selection  of  the  model  constant  P . 

6.2  Effects  of  Search  Start  Time 

It  can  readily  be  shown  using  equation  (3)  that  little 
improvement  in  acquisition  probability  is  achieved  by  beginning 
visual  search  earlier  than  about  three  times  the  required 
acquisition  lead  time  (t2).  This  is  because  the  added  search 
time  occurs  while  the  target  is  at  a  greater  distance  and  is 
less  likely  to  be  acquired.  An  analysis  supporting  this 
statement  can  be  found  in  Reference  35  (page  45).  It  appears 
that  TCAS  alarm  thresholds  are  appropriate  from  this  point  of 
view  since  the  Tau  criteria  for  TCAS  traffic  advisories 
(approximately  45  seconds)  are  roughly  three  times  the  required 
acquisition  lead  time  (15s). 
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6.3  Determination  of  the  Model  Constant 

For  Che  purpose  of  this  analysis,  it  will  be  assumed  that  (3 
is  equal  to  zero  (no  visual  acquisition  is  possible)  under  the 
following  conditions: 

O  Instrument  meterological  conditions  (IMC)  exist, 
o  The  target  is  outside  the  pilot's  f ield-of-view. 

o  The  pilot  is  unable  to  interrupt  his  other  tasks  in 

order  to  search  for  the  target. 

\ 

O  The  pilot  has  not  yet  received  a  TCAS  TA. 

These  assumptions  are  conservative  since  (with  the  exception  of 
the  f ield-of-view  requirement)  none  of  these  conditions 
absolutely  preclude  visual  acquisition.  In  addition,  visual 
search  prior  to  the  TCAS  TA  sometimes  results  in  early 
acquisition. 

The  value  of  p,  which  is  appropriate  for  nominal  search 

conditions,  has  been  determined  by  experiment.  In  the  ATARS 

4 

( IPC)  flight  tests,  a  value  of  9  x  10  /sec  was  derived.  In 
the  more  limited  data  base  available  to  TCAS,  a  value  of  at 

4 

least  14  x  10  /sec  seems  to  be  indicated.  (A  higher  value  is 
to  be  expected  for  TCAS  due  to  the  increased  bearing  accuracy 
of  the  TCAS  TA. ) 

In  Reference  35,  the  value  of  p,  which  applied  to  unalerted 
search  for  VFR  flights,  was  estimated  to  be  approximately 
10,000/sec.  Thus  the  presence  of  the  traffic  advisory 
increased  the  acquisition  rate  by  a  factor  of  approximately  9. 
This  is  reasonable  since  merely  alerting  the  pilot  to  initiate 
visual  search  doubles  or  triples  the  amount  of  time  devoted  to 


visual  search,  and  informing  him  of  the  direction  in  which  to 
search  decreases  angular  search  area  by  a  factor  of  4  or  5. 
The  effect  upon  alarm  rate  is  multiplicative  (i.e.,  twice  the 
search  time  in  one-fourth  the  area  should  increase  the 


acquisition  rate  by  a  factor  of  8).  In  the  calculations  which 
follow  an  unalerted  search  value  of  10,000/sec  will  be  assumed. 

If  more  than  one  pilot  is  involved  in  the  visual  search,  then 
the  probability  that  at  least  one  pilot  will  acquire  is 
obtained  by  using  a  P  value  which  is  the  sum  of  the  P  values 
for  the  individual  pilots. 

6.4  Calculation  of  Visible  Area 

The  visible  area.  A,  is  a  function  of  the  target  shape,  size 
and  the  aspect  angle  with  which  the  target  is  viewed.  A  simple 
technique  for  calculating  an  approximate  visible  area  is 
described  in  Reference  35.  In  this  approximation,  the  target 
aircraft  is  modeled  as  if  it  were  an  object  consisting  of  only 
three  perpendicular  planar  surfaces  corresponding  to  the 
silhouette  of  the  aircraft  when  viewed  head-on,  broadside,  and 
from  directly  above  (see  Figure  6-2).  Appropriate  values  for 
the  areas  of  these  three  surfaces  are  provided  in  Table  6-2  for 
three  representative  types  of  aircraft.  For  the  calculations 
which  follow,  it  will  be  assumed  that  the  target  aircraft  is 
viewed  from  the  horizontal  plane,  and  hence,  that  only  A^  and 
Ay  contribute  to  the  visible  area.  The  visible  area  is  then 
approximated  as  follows: 

ax  -  Ax  [sine2] 

a  *  A  [cos0ol 
y  y  2 J 

A  =  max  (ax,  ay)  +  -y-  min  (ax,  ay) 
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FIGURE  6-2 

AIRCRAFT  VISIBLE  AREAS  WHEN  VIEWED  FROM  THE 
THREE  PRINCIPAL  COORDINATE  AXES 


6.5  Required  Visual  Acquisition  Time 


According  to  the  model,  when  the  target  is  approaching  on  a 
collision  course  from  within  the  f ield-of-view  under  nominal 
search  conditions,  the  pilot  is  certain  to  acquire  at  some 
point  since  the  angular  size  of  the  target  will  eventually 
become  very  large.  But  visual  search  must  be  regarded  as 
unsuccessful  unless  acquisition  occurs  with  enough  lead  time  to 
allow  the  pilot  to  evaluate  and  react  to  the  sighting.  In 
calculations  which  follow,  a  late  acquisition  is  defined  as  any 
acquisition  which  occurs  at  less  than  15  seconds  to  projected 
collision.  In  any  set  of  actual  encounters,  there  would  be 
some  cases  in  which  later  acquisitions  were  successful  in 
allowing  visual  avoidance  and  some  in  which  earlier 
acquisitions  were  unsuccessful.  The  15  second  value  is 
intended  to  represent  an  average  requirement,  not  a  worst  case 
value. 

6.6  Calculation  of  Visual  Acquisition  Probabilities 
We  will  now  calculate  visual  acquisition  probabilities  for  some 
particular  cases  of  interest.  For  these  calculations,  it  is 
assumed  that  the  aircraft  are  approaching  on  unaccelerated 
flight  paths  with  constant  airspeeds.  Let  the  crossing 
angle,  X ,  be  defined  as  the  difference  in  headings  of  the  two 
aircraft  (see  Figure  6-3).  Thus,  X  -  0°  corresponds  to 
i  parallel  flight  and  X  =  180°  corresponds  to  a  head-on 

encounter.  X  can  be  written  in  terms  of  the  bearings  as  follows 

X  -  tt  +  6^^  -  e2  (5 

A  necessary  condition  for  a  collision  course  is 

sin  6X  +  V 2  sin  02  ■  0  (6 
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FIGURE  6-3 

NOTATION  EMPLOYED  IN  DESCRIPTION  OF  ENCOUNTER  GEOMETRY 


Taken  together,  these  two  equations  define  a  unique  pair  of 
bearings  which  must  exist  for  a  collision  to  occur  at  a 
particular  crossing  angle.  The  range  rate  which  then  exists  is 

r  *  — cos  0j  -  cos  02  (?) 

The  probability  of  visual  acquisition  before  15  seconds  is 
given  by  equation  (3)  with  t2  =  15  seconds.  Table  6—3 
provides  an  example  of  the  values  of  the  relevant  quantities 
for  crossing  angles  from  0  to  180  degrees  when  the  TCAS 
aircraft  has  an  airspeed  of  250  knots  and  the  intruder  is  a 
small  aircraft  with  an  airspeed  of  130  knots. 

Several  points  are  worth  noting  in  Table  6-3.  First,  the 
acquisition  probability  is  greater  at  shallow  angles  when  the 
closing  rate  is  smaller.  It  decreases  to  a  minimum  in  the 
head-on  geometry.  Because  the  TCAS  aircraft  is  the  faster 
aircraft,  all  collision  geometries  require  the  intruder  to 
approach  from  a  bearing  sector  of  approximately  +  30  degrees 
centered  upon  the  12  o'clock  bearing.  For  collision 
geometries,  the  slower  aircraft  always  approaches  the  faster 
from  somewhere  in  the  forward  hemisphere.  This  result  means 
that  the  intruder  is  likely  to  be  within  the  f ield-of-view  when 
the  TCAS  aircraft  is  the  faster  of  the  pair. 

In  averaging  acquisition  probabilities,  some  care  must  be  taken 
to  weight  the  values  according  to  the  likelihood  with  which 
each  geometry  occurs.  If  the  heading  of  each  aircraft  is 
uniformly  distributed  between  0°  and  360°,  then  all 
crossing  angles  are  equally  likely.  For  two  aircraft  selected 


TABLE  6-3 

CALCULATION  OF  VISUAL  ACQUISITION  PROBABILITIES  -  AN  EXAMPLE 


Own  Airspeed: 
Intruder  Airspeed: 
Intruder  Size: 

Time  Search  Begins: 
Time  at  Which  Visual 
Model  Constant: 


X  e2 


250  knots 
130  knots 

Ajj  =  20  sq.  ft.  Ay  =  100  sq.  ft. 
tj  =  40  sec 
Required:  t2  *  15  sec 

p  =  140000/sec 


0i  r  A  P(visual) 


at  random,  an  unweighted  average  of  the  values  in  Table  6-3 
would  provide  the  average  probability  of  visual  acquisition. 
However,  if  aircraft  are  allowed  to  encounter  each  other  in  an 
unstructured  fashion,  there  will  be  more  encounters  with 
aircraft  which  are  flying  at  higher  speeds  relative  to  the  TCAS 
aircraft.  In  this  case  the  average  should  be  weighted 
according  to  relative  speed. 

Table  6-4  provides  the  average  probabilities  of  visual 
acquisition  for  a  combination  of  airspeeds  and  intruder  types. 
In  computing  these  averages,  all  crossing  angles  were  assumed 
to  be  equally  likely.  It  was  also  assumed  that  visual 
acquisition  was  impossible  if  the  intruder  was  approaching  from 
behind  at  any  bearing  from  5  to  7  o’clock.  The  value  of  p  for 
unalerted  search  is  taken  from  Reference  35. 

The  extent  to  which  a  change  in  the  value  of  the  parameter  P 
can  affect  acquisition  probabilities  can  be  further 
characterized  by  using  equation  (3)  to  derive  the  following 
relationship: 


qi  =  qo 


Pl/Po 


(s: 


where  q2  and  qQ  are  the  probabilities  of  acquisition 
failure  for  parameter  values  ^  and  PQ,  respectively.  Note 
that  this  relationship  is  independent  of  the  target  area, 
closing  rate,  or  time  of  search.  A  plot  of  q2  versus  qQ  is 
provided  in  Figure  6-4  for  various  ratios  of  the  model 
parameter.  Earlier  it  was  suggested  that  the  presence  of  an 
automated  traffic  advisory  can  increase  the  value  of  p  by  an 


Airspeed:  Vi  *  250  kn 


Jet  Transport 
Military,  jet  fighter 


Final  Ac 


order  of  magnitude  or  more.  Under  this  condition,  it  can  be 
seen  that  for  q^  significantly  less  than  unity,  the  presence 
of  the  traffic  advisory  will  decrease  the  acquisition  failure 
rate  by  several  orders  of  magnitude.  When  q^  is  near  unity 
(very  little  chance  of  successful  acquisition) ,  the  presence  of 
the  traffic  advisory  cannot  reduce  the  failure  rate  to 
negligible  levels.  However,  it  can  be  shown  from  equation  (8) 
that  for  q^  near  unity,  the  probability  of  successful  visual 
acquisition  is  increased  by  a  factor  of  approximately  (3^/Pq. 

6.7  General  Conclusions 

The  following  general  conclusions  concerning  visual  acquisition 
are  supported  by  the  analysis  presented  in  this  chapter: 

1.  Under  nominal  search  conditions,  a  TCAS  II  traffic 

advisory  can  Increase  the  instantaneous  rate  of  visual 
acquisition  by  an  order  of  magnitude  or  more. 


Visual  acquisition  probabilities  are  low  for  head-on 
encounters  with  smaller  aircraft.  In  general,  the 
increased  size  of  jet  transport  intruders  more  than 
compensates  for  their  increased  speed  making  them 
easier  to  acquire. 


6.8  Specific  Conclusions 

The  following  results  apply  to  TCAS  when  good  Visual 
Meteorological  Conditions  exist.  No  visual  acquisition  was 
assumed  for  intruders  approaching  from  behind,  from  5  to  7 
o'clock.  These  conclusions  result  from  averaging  the 
contributions  of  encounters  with  the  three  types  of  aircraft 
listed  in  Table  6-4.  The  highest  intruder  airspeed  was  used 


s  UM 


for  each  aircraft  type  in  the  table,  providing  a  more 
conservative  result.  The  values  for  two  pilots,  alerted,  were 
used,  representing  own  aircraft  (an  air  carrier  with  at  least 
two  crew  members,  alerted  by  TCAS). 

1.  The  weighted  average  for  NMAC  data  gives  an  overall 
probability  of  not  acquiring  a  threat  by  15  seconds 
before  CPA  to  be  0.17  (acquisition  probability  *  .83) 

2.  The  weighted  average  for  NMAC  data  gives  an'  overall 
probability  of  not  acquiring  a  threat  by  25  seconds 
before  CPA  (the  time  of  the  RA)  to  be  0.35 
(acquisition  probability  “  .65). 

Appendix  L  applies  the  visual  acquisition  model  to  the  usual 
case  that  a  pilot  experiences  when  traffic  advisories  are 
provided  by  the  ATC  controller  over  VHF  radio.  There  it  is 
shown  that  the  model  predicts  a  typical  probability  of  visual 
acquisition  for  those  conditions  to  be  around  30  percent,  much 
lower  than  the  model  predictions  which  are  appropriate  for  use 
in  NMAC  geometries.  These  results  are  generally  agreed  to  be 
consistent  with  pilot  experience,  and  provide  some  level  of 
confidence  in  the  validity  of  the  model. 


FAULT  TREE  FOR  TCAS  SAFETY  ANALYSIS 
The  fault  tree  constructed  for  this  study  provides  both  a 
qualitative  and  a  quantitative  means  to  identify  and  analyze 
failure  modes  in  the  overall  system.  A  fault  tree  identifies 
all  possible  means  by  which  a  single  undesired  event  (in  this 
case,  a  critical  near  midair  collision)  can  occur,  organizes 
them  into  a  logical  structure  to  study  the  processes  leading  to 
failures,  and  systematically  identifies  all  their  root  causes 
and  interactions.  If  a  failure  can  be  caused  by  the  occurrence 
of  one  of  several  events,  the  events  are  represented  in  a  tree 
structure  as  combining  at  a  logical  OR  "gate."  If  all  the 
events  must  fail  to  cause  a  system  failure,  they  are  combined 
in  the  tree  structure  with  a  logical  AND  gate  (Reference  2). 
Since  all  contributory  causes  of  failure  are  identified,  the 
quantitative  analysis  accurately  represents  the  impact  of  a 
particular  failure  mode  on  the  overall  failure  probability. 

The  fault  tree  in  this  study  combines  a  comprehensive  analysis 
of  TCAS  failure  mechanisms  with  non-TCAS  events.  The 
interactions  between  them  are  fundamental  to  the  effect  of  TCAS 
on  the  NMAC  hazard.  Thus,  the  fault  tree  Is  not  merely  a  TCAS 
fault  tree,  nor  is  it  a  comprehensive  NMAC  fault  tree. 

Instead,  it  is  a  form  of  NMAC  fault  tree  with  considerable 
detail  for  TCAS-related  branches . 

In  this  section,  the  development  of  the  fault  tree  will  be 
presented  and  the  significance  of  the  complete  tree  discussed. 
The  methodology  for  the  quantitative  analysis  of  the  tree  will 
be  described,  followed  by  the  reduction  and  analysis  of  the 
tree. 


The  approach  taken  in  the  development  of  the  fault  tree  makes 
use  of  the  fact  that  TCAS  issues  advisories  only  in  the  last  35 
to  45  seconds  prior  to  closest  point  of  approach  (CPA).  We 
assume  that  any  events  that  can  lead  to  an  NMAC  that  occur 
prior  to  approximately  one  minute  before  CPA  have  already 
occurred. 

There  are  two  primary  types  of  TCAS  failures  which  we  are 
interested  in  evaluating: 

1.  Two  aircraft  are  on  flight  paths  such  that  the  pilot 
will  need  to  make  a  maneuver  in  order  to  avoid  an 
NMAC;  TCAS  does  not  provide  an  advisory  adequate  to 
enable  the  pilot  to  avoid  it.  We  will  refer  to  this 
as  an  "Unresolved  NMAC". 

2.  Two  aircraft  are  on  flight  paths  such  that  if  no 
maneuver  is  made,  an  NMAC  will  not  occur  (the  aircraft 
will  pass  safely  in  the  vertical  dimension).  A  faulty 
instruction  is  issued  (in  particular,  a  Resolution 
Advisory)  which  is  followed,  causing  a  critical  NMAC 
to  occur.  We  will  refer  to  this  as  an  "Induced  NMAC". 

The  fault  tree  is  set  up  so  as  to  measure  these  two  factors 
separately.  This  is  possible  because,  in  general,  the  failure 
mechanisms  for  these  events  are  different.  Failures  of  the 
first  type  will  result  from  TCAS  not  displaying  an  advisory  or 
the  pilot  not  using  it.  Once  an  advisory  is  displayed,  it  will 


usually  lead  to  safe  separation  <since  a  displacement  of  100 
feet  or  less  in  the  correct  direction  removes  the  aircraft  from 
an  NMAC).  In  the  second  case,  an  advisory  is  required  in  order 
for  failure  to  occur. 

The  distinction  between  these  two  types  of  failures  enables  us 
to  establish  a  first  set  of  immediate  and  sufficient  causes  of 
NMACs :  either  an  NMAC  was  about  to  occur,  but  was  not  avoided; 
or  one  was  not  about  to  occur,  but  was  induced.  These 
circumstances  define  the  second  level  events  illustrated  in 
Figure  7-1.  These  two  events  become  "top  events"  of  two 
subtrees. 

In  the  tree  in  this  study,  the  structure  does  not  indicate  any 
time  order  to  the  occurrence  of  events;  in  addition,  certain 
failure  probabilities  will  actually  be  conditional 
probabilities,  with  the  condition  not  listed  as  an  event  within 
the  tree.  An  ideal  fault  tree  describes  not  only  what  happens, 
but  the  order  in  which  the  events  occur  and  all  preconditions 
to  an  event.  However,  these  conditions  will  be  explained  and 
taken  into  account  in  the  quantitative  analysis. 

To  assist  in  the  following  explanation  of  the  fault  tree,  a 
convention  has  been  designed  to  aid  in  identifying  and  locating 
events  within  the  tree.  Events  are  given  a  unique  3-digit 
numeric  identifier.  Also,  a  level  number  indicates  how  far 
down  in  the  tree  the  event  will  be  found.  Each  event,  except 
the  top  event,  can  be  referenced  by  its  level  and  event 
number.  Thus  the  two  events  at  level  2  in  Figure  7-1  are 
events  2-000  and  event  2-500.  In  addition,  event  numbers  are 
assigned  to  the  tree  in  the  following  manner; 
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TCAS  FAULT  TREE:  TOP  EVENT  (CRITICAL  NMAC) 


Event  numbers  000  to  499  are  on  the  "000  branch"  and  will  be 
found  below  event  000  (unresolved  NMAC).  Event  numbers  500  to 
999  are  on  the  "500  branch"  (induced  NMAC).  On  each  branch, 
events  are  given  increasing  numbers  from  top  to  bottom  and  from 
left  to  right.  "Round"  numbers  like  100,  600,  and  150  will  be 
found  closer  to  the  top;  intermediate  numbers,  like  179,  378, 
and  732  will  be  found  at  or  near  the  bottom. 

7.1.1  The  000  Branch  of  the  Tree,  Unresolved  NMAC 
The  000  Branch  of  the  fault  tree,  Unresolved  NMAC,  is  shown  in 
Figure  7-2.  The  failure  to  resolve  the  NMAC  is  in  the  failure 
of  two  principal  events:  the  controller  failing  to  resolve 
with  instructions  (event  3-100)  and  the  pilot  failing  to 
maneuver  on  his  own  (event  3-300).  In  turn,  pilot  failure  is 
the  failure  of  the  pilot  to  see-and-avoid,  aided  by  the  TCAS  TA 
display  (event  4-350),  and  the  failure  of  a  TCAS  RA  to  avoid 
the  NMAC  (event  4-410).  Each  branch  will  be  discussed  in  turn. 

Controller  Branch:  Event  3-100.  The  System  Safety  study  did 
not  analyze  the  possibility  of  pilot /controller  interaction 
during  the  time  interval  of  the  TCAS  alert.  Nonetheless, 
branch  100  of  the  fault  tree  is  provided  for  these  actions,  as 
well  as  for  those  the  controller  might  take  independently  of 
the  pilot.  Should  pilot/controller  interactions  be  identified, 
they  can  be  evaluated  based  on  this  branch  of  the  tree. 

This  branch  describes  failures  within  the  following  process  of 
resolving  a  conflict:  the  controller  perceives  the  conflict, 
either  by  monitoring  his  display  or  by  the  presence  of  a 
Conflict  Alert;  he  determines  a  maneuver  that  will  resolve  the 
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conflict  and  communicates  it  to  the  pilot;  the  pilot  makes  a 
maneuver  which  resolves  the  conflict.  The  fault  tree  structure 
arises  from  this  process  by  enumerating  the  methods  by  which 
each  of  these  steps  could  fail. 

As  there  is  an  automated  system  (Conflict  Alert)  designed  to 
bring  conflicts  to  the  controller's  attention  and  provide  a 
measure  of  redundancy  to  the  system  (thus  the  "AND”  gate  under 
event  5-160),  the  possibility  of  its  failure  is  included  as 
well. 

Pilot  "See-and-Avoid"  Branch:  Event  4-350.  This  branch  has 
the  most  commonality  when  comparing  TCAS  and  non-TCAS  safety. 
This  is  primarily  due  to  the  function  of  TCAS  TAs,  which  is  to 
provide  an  aid  to  the  pilot's  see-and-avoid  process.  They 
increase  the  probability  that  the  pilot  will  see  a  threat;  but 
the  probability  of  avoiding  the  NMAC  once  the  threat  is  seen  is 
the  same. 

The  process  of  the  pilot  avoiding  a  conflict  is  simpler  in  form 
than  the  controller  process  described  above.  Failure  to  avoid 
the  NMAC  can  occur  if  the  pilot  fails  to  realize  there  is 
conflict  (event  5-355),  if  he  fails  to  select  and  execute  a 
maneuver  (event  5-380) ,  or  if  the  aircraft  is  unable  to  execute 
the  maneuver  (event  5-405). 

Failure  to  determine  the  existence  of  a  conflict  requires  the 
failure  of  all  three  mechanisms  by  which  the  pilot  can 
determine  that  a  conflict  exists.  These  mechanisms  and  their 
failure  events  are  visual  acquisition,  unaided  by  TCAS  (event 
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6-360);  voice  communications  (event  6-370);  and  the  TCAS  TA 
display  (visual  acquisition  is  not  assumed)  (event  6-375).  As 
the  failure  of  all  three  is  required,  they  are  connected  by  an 
"AND"  gate  to  event  5-355. 

If  the  pilot  does  perceive  the  conflict,  he  will  then  select 
and  execute  a  maneuver  which  will  avoid  the  NMAC.  If  the 
conflict  was  perceived  by  means  of  voice  communications  or  a 
TA,  then  visual  acquisition  must  occur;  this  can  fail  by  either 
the  aircraft  being  in  adverse  visual  conditions  (IMC  or  other 
difficult  conditions  such  as  glaring  sun  or  haze)  (event  7-386) 
or  by  the  pilot  not  being  able  to  acquire  the  threat  in  time  to 
maneuver  (event  7-391).  If  the  threat  is  visually  acquired,  an 
escape  maneuver  should  be  made.  The  possibility  of  a  failure 
to  maneuver  appropriately  is  treated  as  a  human  factors 
variable.  The  possibility  of  the  TA  misleading  the  pilot  or 
the  pilot  taking  an  inappropriate  action  to  avoid  the  NMAC,  by 
using  the  TA  Instead  of  visual  acquisition  as  the  basis  for  a 
maneuver,  Is  described  by  event  7-398. 

Resolution  Advisories;  Branch  4-410.  TCAS  Resolution  Advisory 
faults  have  been  analyzed  in  great  detail.  Four  general 
classes  of  these  faults  are  listed  here ;  a  complete  listing  of 
the  branches  is  presented  in  Appendix  G.  The  four  classes  of 
faults  are: 

•  No  Resolution  Advisory  is  displayed  (e’rent  5-420) 

•  A  Resolution  Advisory  is  displayed  but  not  in  time 
(event  5-430) 


•  The  Pilot  does  not  follow  the  RA  (event  5-440) 

•  The  Resolution  Advisory  is  Inadequate  to  Avoid  NMAC 
(the  wrong  sense  or  strength  is  given,  or  it  is  not 
displayed  long  enough)  (event  5-450) 

7.1.2  The  500  Branch  of  the  Fault  Tree,  Induced  NMAC 
The  logical  interconnection  of  events  may  be  more  difficult  to 
see  in  the  Induced  NMAC  branch  of  the  tree.  This  branch  must 
deal  with  the  source  of  the  decision  to  maneuver  —  either  the 
pilot,  TCAS,  or  the  controller  —  and  any  mechanisms  which  can 
override  this  decision,  not  all  of  which  apply  in  every 
scenario. 

Branch  500  is  shown  in  Figure  7-3.  In  order  for  an  induced 
critical  NMAC  to  occur  (event  2-500),  two  things  must  happen: 

•  The  pilot  must  maneuver  the  aircraft  (event  3-600)  in 
such  a  fashion  as  to  create  an  impending  NMAC  within 
the  short  time  period  prior  to  CPA  for  which  the  fault 
tree  applies  (approximately  1  minute) 

•  Neither  the  controller  nor  TCAS  issues  a  last-minute 
instruction  to  avert  the  NMAC  (events  4-810  and  4-900) 

Source  of  the  Decision  to  Maneuver.  Of  primary  interest  on 
this  branch  of  the  fault  tree  is  the  reason  the  maneuver  is 
made.  The  fault  tree  divides  this  into  two  types:  an 
inappropriate  instruction  issued  to  the  pilot  (event  4-650)  or 
the  pilot's  choice  of  an  inappropriate  maneuver  because  of  his 
evaluation,  using  all  information  available  to  him  (including 
the  TCAS  TA  display)  (event  4-750). 
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Under  event  4-650,  there  are  two  sources  of  instructions  which 
can  lead  to  NMAC:  the  controller  (event  6-665)  and  TCAS  RAs 
(event  6-670).  We  are  not  concerned  with  the  causes  of  the 
controller’s  inappropriate  instruction,  but  rather  TCAS’ 
ability  to  resolve  them,  and  thus  event  6-665  is  not  developed 
further.  We  are  concerned  with  causes  of  inappropriate  TCAS 
RAs;  a  full  development  of  these  faults  is  contained  in 
Appendix  G. 

Given  that  an  Inappropriate  instruction  was  Issued,  we  assume 
it  is  followed  (leading  to  an  NMAC)  unless  the  pilot  determines 
it  is  incorrect  and  takes  an  alternate  action.  The  four  basic 
sources  of  information  that  can  Indicate  to  the  pilot  the  need 
for  alternate  action,  and  the  events  that  describe  their 
failure,  are: 

•  Visual  acquisition  (event  6-685).  We  assume  that  if 
the  pilot  can  visually  acquire  the  other  aircraft,  he 
can  avoid  the  NMAC.  The  TCAS  TA  can  assist  the 
pilot’s  visual  acquisition.  Failures  are  described 
under  event  6-685. 

•  Voice  communications  (event  6-705).  There  is  a 
possibility  that  the  pilot  could  determine  that 
alternate  action  is  required  by  what  he  hears  over  the 
radio . 

•  TCAS  Traffic  Advisory  (event  6-715).  There  is  also  a 
possibility  that  the  TA  itself  can  show  an  instruction 
to  be  incorrect.  (This  does  not  imply  the  pilot 
maneuvers  on  the  TA;  it  is  a  case  of  not  following  an 
instruction  because  the  TA  makes  it  appear  incorrect). 
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•  TCAS  Resolution  Advisory  (event  6-745).  In  the  case 

of  an  instruction  being  issued  by  the  controller,  if  a  < 

preventive  RA  is  being  displayed,  it  could  act  to 
avoid  the  induced  NMAC. 

The  TCAS  TA  rarely  provides  any  reason  not  to  take  an  incorrect  ( 

RA;  thus,  visual  acquisition  (aided  by  the  TA,  which  will 
almost  always  be  present)  is  the  primary  means  by  which  any 
incorrect  RA  is  recognized  as  such.  The  TCAS  TA  and  RA  both 

k 

provide  mechanisms  to  avoid  an  NMAC  due  to  an  incorrect  | 

controller’s  instruction. 

In  those  cases  where  the  pilot  selected  an  inappropriate 

maneuver  (event  4-750),  we  assume  the  pilot  used  the  TA  display  P| 

to  help  locate  and  avoid  any  proximate  aircraft.  Reasons  why 
failure  might  occur  are  detailed  under  event  5-780. 

The  maneuvers  selected  are  divided  into  those  which  are  made 
for  separation  assurance  (event  6-764)  and  those  which  are  made 
for  other  reasons  (event  6-762).  Those  made  for  separation 
assurance  are  further  divided  into  those  where  the  pilot 
determined  the  need  to  maneuver  based  on  information  TCAS 
displayed  (event  7-766)  or  other  reasons  (event  7-767).  No 
further  development  is  done  for  events  6-762  and  7-767;  we  will 
only  be  interested  in  TCAS*  ability  to  resolve  these  maneuvers 
and  not  in  the  pilot's  reasons  for  selecting  them. 

For  the  case  where  the  pilot  might  misuse  the  TA  display  to 
make  a  maneuver  leading  to  an  NMAC,  three  conditions  must  be 
satisfied: 


7-16 


•  A  Traffic  advisory  must  be  displayed  (event  8-769) 

•  The  pilot  must  choose  to  maneuver  based  on  the  TA 
(event  8-768) 

•  The  maneuver  selected  must  be  such  as  to  lead  to  a 
critical  NMAC  (event  8-771) 

Issuance  of  an  Instruction  to  Avert  the  NMAC.  The  structure 
under  event  3-800  describes  the  failures  of  mechanisms  which 
can  act  to  avert  the  induced  NMAC.  The  possibility  exists  that 
the  controller  (event  4-810)  can  recognize  the  conflict  and 
correct  it,  but  this  possibility  is  not  analyzed  in  the  study. 
Similarly,  the  possibility  that  TCAS  corrects  the  maneuver  with 
an  RA  (event  4-900)  is  noted  but  not  assessed.  In  the  case  of 
an  RA  inducing  an  NMAC  because  the  intruder  made  a  sudden 
maneuver  (event  6-670),  it  is  possible  to  receive  an  "advisory 
not  OK"  (event  5-960)  which  can  alert  the  pilot  to  stop 
executing  the  RA.  This  analysis  does  not  account  for  that 
feature  either. 


7.2  A  Methodology  for  Quantifying  the  Fault  Tree 


The  TCAS  fault  tree  provides  a  means  by  which  the  interactions 
of  various  elements  of  the  system  can  be  assessed  from  a  System 
Safety  point  of  view.  The  characterization  of  the  airspace  and 
the  failure  rates  generated  in  earlier  sections  provide  the 
probabilities  of  occurrence  of  events  within  the  fault  tree. 

The  structure  of  the  fault  tree  determines  how  these 
probabilities  combine  to  form  the  estimate  of  the  probability 
of  the  top  event.  Sensitivity  analysis  (to  be  discussed  in 
Section  8)  will  be  performed  to  assess  the  impact  of  changes  in 
failure  rates  and  assumptions  on  the  performance  of  the  system 
as  a  whole. 
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We  have  modified  the  normal  process  for  quantifying  a  tree  in 
order  to  assess  the  Risk  Ratio  —  that  is,  the  risk  relative  to 
the  current  risk.  While  the  relative  risk  is  usually  the 
desired  information,  the  absolute  risk  of  encountering  a 
critical  NMAC  can  be  obtained  by  multiplying  the  Ratio  by  the 
current  risk,  1  x  10  per  hour,  as  found  in  Section  3.3.4. 

7.2.1  Approach  to  Quantifying  the  Fault  Tree  to  Obtain  the 
Risk  Ratio 

In  classical  fault  tree  analysis,  one  obtains  probabilities  for 
all  the  primary  (bottom)  events  in  the  tree.  These  probabil¬ 
ities  are  combined  at  the  gates  in  the  tree,  going  from  the 
lowest  level  to  the  top  gate,  in  order  to  estimate  the 
probability  of  the  top  event.  If  events  are  independent, 
probabilities  sum  at  OR  gates  and  multiply  at  AND  gates.  If 
interdependent,  probabilities  can  range  from  the  sum  to  the 
maximum  of  the  probabilities  at  an  OR  gate  and  from  the  product 
to  the  minimum  at  an  AND  gate.  The  level  of  interdependence 
determines  where  within  these  limits  the  probability  will  be. 

The  fault  tree  structure  is  used  as  a  qualitative  mechanism  to 
identify  all  possible  TCAS  failure  mechanisms,  as  well  as  to 
evaluate  interdependencies  among  TCAS  and  the  ATC  environment. 
As  a  quantitative  mechanism,  we  will  use  the  fault  tree  to 
calculate  the  relative  risk  (the  overall  Risk  Ratio).  For 
purposes  of  the  fault  tree  analysis ,  this  involves  replacing 
failure  rates  for  non-TCAS-related  branches  with  1.0  at  AND 
gates  and  0.0  at  OR  gates  (where  these  gates  combine  with  a 


)  and  computing  cne  regular  proDaDinties  ror 
es.  When  we  reach  the  top  event  we  will  have 
of  an  NMAC  with  TCAS  relative  to  the  current 


To  account  for  the  range  of  conditions  over  which  TCAS  must 
operate,  we  use  weighted  averages  for  those  conditions  found  in 
Section  3.  For  example,  calculation  of  the  effects  of 
altimetry  error  takes  into  account  the  fraction  of  aircraft 
involved  in  NMACs  that  have  high  quality  altimetry  (assumed  to 
be  all  air  carrier  and  military  aircraft,  21  percent)  and  the 
fraction  that  have  the  basic,  or  uncorrected  altimetry  (assumed 
to  be  all  GA  and  other  aircraft,  79  percent).  Likewise,  in 
Section  3  good  conditions  for  visual  acquisition  of  other 
aircraft  (bright  daylight)  were  found  to  exist  for  70  percent 
of  the  incidents,  so  this  will  be  used  when  visual  acquisition 
is  of  importance.  Other  conditions  include  glaring  sun,  night, 
dusk,  dawn,  overcast,  etc;  for  the  analysis,  these  are 
arbitrarily  assumed  to  be  inadequate  for  visual  acquisition. 

Similar  methods  were  used  for  estimation  of  other  probabil¬ 
ities;  as  a  consequence,  the  failure  probabilities  generated 
are  failure  rates  over  the  entire  airspace,  with  factoring 
already  done  to  weight  the  probability  of  being  in  any  given 
airspace.  The  failure  rates  are  thus  intended  to  assess  the 
overall  impact  of  TCAS,  and  not  to  predict  its  performance 
under  any  particular  situation. 


7.2.2  Summary  of  Failure  Probabilities 


Table  7-1  is  a  restatement  of  the  basic  probabilities  obtained 
from  Sections  3,  4,  5,  and  6.  From  this  data  the  failure  rates 
of  various  events  in  the  fault  tree  can  be  obtained;  this  is 


TABLE  7-1 

SUMMARY  OF  BASIC  PROBABILITIES 


CONDITION  PRESENT  PROBABILITY 


Instrument  Meteorological  Conditions  .16 

Bright  Daylight  Conditions  .70 

GA  and  "other"  Aircraft  .79 

Intruder  is  Transponder  Equipped  .92 

Intruder  is  Mode  C  Transponder  Equipped  .61 

Risk  Ratio  for  GA  Altimetry  . 0] 

Unresolved  Component 
Induced  Component 

Risk  Ratio  for  Maneuvering  Intruder  .02 

Probability  of  not  being  tracked 

at  time  of  TA  .06 

at  time  of  RA  .02 

Risk  Ratio  for  "Stuck  C-Bit”  .0C 

Risk  Ratio  for  Equipment  Failure  .OC 

Probability  of  not  visually  acquiring 
in  bright  daylight  conditions 

by  15  s  before  CPA  .17 

by  time  of  RA  .31 


SECTION 

REFERENCE 


shown  in  Table  7-2.  The  first  column  describes  the  event  or 
failure;  major  failures  are  assigned  numbers,  while  components 
of  those  failures  are  assigned  letter  identifiers.  The  event 
number  associated  with  the  failure  occurrence  is  listed  in 
column  2,  and  the  event's  probability  is  listed  in  column  3. 

The  way  these  failure  probabilities  are  derived  from  Table  7-1 
is  Indicated  in  column  4. 

7.2.3  Human  Factors 

There  is  no  data  base  from  which  to  assign  nominal  failure 
rates  to  human  factors  failures.  These  human  factors  are 
important,  however,  and  thus  we  will  use  several  variable 
quantities  to  indicate  human-factor  failure  rates.  They  will 
be  replaced  by  numerical  quantities  in  the  sensitivity  analysis 
of  Section  8.  These  account  for  the  use  of  visual  acquisition, 
the  use  of  the  Traffic  Advisory,  and  the  use  of  the  Resolution 
Advisory.  In  turn,  these  may  be  broken  down  further  depending 
upon  whether  an  action  is  taken  or  not  taken. 

•  Visual  Acquisition  (V).  Upon  visual  acquisition,  as 
aided  by  TCAS,  it  is  expected  that  the  pilot  will  be 
able  to  avoid  an  NMAC.  However,  this  might  fail  in 
one  of  two  ways: 

-  VNA:  The  pilot  visually  acquires  the  threat,  but 
does  Not  Avoid  the  NMAC  (Events  7-396  and  7-392). 
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-  VMIR:  The  pilot  visually  acquires  the  threat  but 
still  Maneuvers  on  an  Incorrect  Resolution  Advisory 
(Event  8-796). 

•  Resolution  Advisory  (R)i  Expedient  action,  at  least 
compatible  with  the  RA,  is  necessary.  Various  factors 
may  inhibit  the  pilot's  reaction  thereby  failing  to 
avoid  an  NMAC.  This  leads  to  the  following  failure: 

-  RNF:  The  pilot  does  Not  Follow  the  RA  (Event 
5-440). 

•  Traffic  Advisory  (T):  The  intent  of  the  TA  is  to 
alert  the  pilot  to  search  for  the  intruder.  If  visual 
acquisition  is  not  achieved  and  action  is  taken  on  the 
TA  alone,  failure  may  occur  in  one  of  two  ways: 

-  TNA:  Based  on  his  interpretation  of  the  TA,  the 
pilot  disregards  an  RA  or  what  he  sees  and  does  Not 
Avoid  the  NMAC. 

-  TI:  The  pilot  maneuvers  to  Induce  an  NMAC  based  on 
his  interpretation  of  the  TA. 

These  five  failure  mechanisms  (represented  by  the  variables 
VNA,  VMIR,  RNF,  TNA,  and  TI)  will  be  treated  in  the 
quantitative  analysis  of  the  fault  tree. 

7.3  Reduction  and  Evaluation  of  the  Fault  Tree 

The  evaluation  of  the  fault  tree  is  simplified  if  a  nominal,  or 

baseline,  set  of  operational  conditions  is  assumed.  Variations 
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from  these  nominal  conditions  can  then  be  explored  in  a 
subsequent  analysis  of  the  sensitivity  to  these  assumptions. 

The  assumed  nominal  conditions  are: 

1.  If  a  pilot  visually  acquires  a  conflicting  aircraft, 
he  will  avoid  it. 

2.  In  absence  of  visual  acquisition,  the  pilot  follows 
the  Resolution  Advisory. 

3.  Visual  acquisition,  as  aided  by  the  Traffic  Advisory 
display  for  Mode  C  aircraft,  is  assumed  to  be 
effective  only  in  bright  daylight. 

4.  The  airborne  traffic  has  today's  level  of  transponder 
and  Mode  C  equipage. 

3.  The  intruder  is  not  TCAS-equipped.  (If  the  intruder 
were  TCAS-equipped,  it  would  have  air  carrier  quality 
altimetry,  and  its  displayed  escape  maneuver  would  be 
coordinated. ) 

6.  No  "false  moves"  are  made  by  the  TCAS  pilot  either 
from  confusion  or  from  prematurely  maneuvering  based 
on  a  Traffic  Advisory. 

7.  Today's  level  of  vigilance  for  see-and-avoid 
procedures  is  maintained;  that  is,  TCAS  does  not  cause 
the  pilot  to  relax  his  guard. 


A  second  simplification  occurs  because  we  are  computing  the 
relative  probability  of  an  NMAC.  We  first  identify  all 


non-TCAS  branches  and  assign  probabilities  of  1.0  or  0.0  to 
them;  this  will  substantially  reduce  the  size  of  the  tree  for 
analysis.  We  can  then  compute  the  probabilities  at  the 
remaining  gates  from  the  bottom  up.  The  000  Branch  of  the 
tree,  Unresolved  NMAC,  will  be  reduced  and  evaluated  first, 
followed  by  the  500  Branch  of  the  tree,  Induced  NMAC. 

7.3.1  Branch  000  of  the  Fault  Tree,  Unresolved  NMAC 

7. 3. 1.1  Reduction  of  000  Branch 

For  computation  of  relative  risk,  we  have  reduced  the  000 
branch  of  the  fault  tree  that  was  shown  in  Figure  7-2  to  the 
form  shown  in  Figure  7-4.  It  contains  branches  for  controller 
faults  (event  3-100),  pilot  faults  (many  of  the  branches  under 
event  4-350),  and  TCAS  faults  (some  of  the  branches  under  event 
4-350  and  the  branch  under  event  4-410).  For  computation  of 
relative  risk,  we  have  reduced  it  as  follows. 

Controller  Faults:  Branch  100 

Controller  faults  enter  the  tree  in  the  branch  under  event 
3-100,  combining  with  the  pilot-TCAS  branch  (3-300)  at  an  AND 
gate.  The  controller  faults  are  independent  of  pilot  faults; 
the  introduction  of  TCAS  provides  some  common  cause  failures 
(in  particular,  with  conflict  alert),  but  it  will  be  assumed 
their  effect  on  the  independence  between  events  3-100  and  3-300 
is  negligible. 

We  will  assign  a  failure  rate  of  1.0  to  event  3-100.  (A 
failure  is  presumed  to  have  already  occurred,  or  the 
pre-existing  NMAC  would  not  be  in  process.)  Since  we  are 
assuming  independence  between  events  3-100  and  3-300,  this  will 
multiply  with  the  failure  rate  of  event  3-300.  The 
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probability  of  an  unresolved  critical  NMAC  (event  000)  then 
becomes  the  same  as  the  probability  that  the  pilot  does  not 
maneuver  the  aircraft  based  on  his  information  (event  3-300). 
This  is  consistent  with  assumptions  that  there  are  no 
interactions  between  the  controller  and  the  pilot  using  TCAS. 

Pilot  Faults:  Branch  350 

Pilot  faults  enter  the  tree  in  the  branch  under  event  4-350; 
these  combine  with  the  faults  for  TCAS  Resolution  Advisories, 
event  4-410.  TCAS  Traffic  Advisory  faults  appear  under  the 
pilot  branch  because  a  Traffic  Advisory  is  an  aid  to  visual 
acquisition  of  a  threat  and  thus  changes  pilot  failure  rates 
for  visual  acquisition. 

In  the  course  of  analysis,  we  are  going  to  assume  that  pilot's 
unaided  visual  acquisition  (event  6-360)  and  perception  of 
conflict  from  communications  (event  6-370)  have  already  failed 
and  thus  assign  them  failure  rates  of  1.0.  All  other  branches 
of  the  fault  tree  constitute  TCAS-related  faults  or  relate  to 
environmental  conditions  in  which  TCAS  will  operate ;  these 
branches  will  have  an  effect  on  the  computation  of  relative 
risk. 

7.3.1. 2  Evaluation  of  000  Branch 

Figure  7-4  shows  the  operational  events  and,  by  implication, 
the  environmental  features  which  can  constitute  a  certain  class 
of  fault  mechanisms  for  TCAS.  Certain  interpendencies  exist 
which  are  not  explicitly  defined  within  the  structure  but  must 
be  taken  into  account.  Where  this  occurs  must  look  down  to 

the  subevents  below  the  event  being  evaluated  to  insure  that 
common  causes  and  operational  requirements  are  treated 
correctly.  We  evaluate  these  events  by  calculating  the  joint 
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probabilities  of  all  subevents  at  a  level  below  which  no 
interdependence  exists.  For  branch  000  of  the  fault  tree,  that 
level  is  approximately  the  bottom  level  depicted  in  Figure  7-4. 

One  can  go  through  the  process  of  calculating  the  joint 
probabilities  for  each  event  in  the  tree;  this  process  is 
performed  in  Appendix  G  and  the  results  brought  forward  for 
events  4-350  and  4-410  in  Figure  7-5.  The  failure  rate  for 
event  3-300  will  be  developed  here. 

Estimation  of  Event  3-300,  Failure  of  Pilot  to  Avoid  NMAC  with 
the  Aid  of  TCAS 

As  events  4-350  and  4-410  are  not  independent,  the 
probabilities  do  not  multiply  to  generate  the  probability  of 
event  3-300.  Instead,  the  common  causes  of  failures  for  both 
4-350  and  4-410  must  be  identified  and  the  analysis  performed 
to  recognize  the  common  failures.  In  particular,  there  are 
major  common  cause  failures  for  Traffic  Advisories  and 
Resolution  Advisories.  Non-transponder  aircraft  cause  both  TA 
and  RA  "failure" ;  surveillance  failure  often  causes  both  TA  and 
RA  failure.  We  must  calculate  the  joint  probabilities  of  these 
events  in  order  to  accurately  calculate  the  total  failure  rate 
for  event  3-300. 

Figure  7-6  illustrates  how  this  probability  is  calculated.  The 
diagram  (NOT  to  scale)  first  breaks  up  all  current  NMAC 
encounters  (1.0  or  100  percent)  into  those  in  which  a  TA  is 
displayed  and  those  in  which  one  is  not  displayed.  Some  of  the 
probabilities  are  obtained  directly  from  Table  7-2;  others  will 
be  derived  after  a  discussion  of  the  meaning  of  the  figure.  If 
a  TA  is  not  displayed,  TCAS  does  not  improve  the  inherent 
visual  acquisition  of  the  pilot.  If,  in  addition,  no  RA  is 
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received,  these  encounters  will  contribute  to  the  failure 
probability  of  event  3-300,  as  indicated  by  the  shading  in  the 
last  column  of  the  bottom  row.  The  probability  of  this 
occurrence  is  shown  to  the  right  of  the  shaded  column. 

Two  processes  are  at  work  here:  a  see-and-avoid  process 
(4-350)  and  a  process  of  following  a  displayed  RA  (4-410).  We 
assume  that,  if  the  pilot  visually  acquires  the  aircraft  before 
an  RA  is  issued  (top  row  of  Figure  7-6),  he  can  avoid  the 
aircraft  in  all  but  (VNA  +  TNA)  of  the  encounters,  regardless 
of  whether  an  adequate  RA  is  displayed.  Should  the  pilot  not 
visually  acquire  the  aircraft  before  the  time  of  the  RA,  he 
follows  it  in  all  but  RNF  of  the  encounters  (if  one  is 
displayed)  while  continuing  to  try  to  visually  acquire  the 
threat.  In  some  instances,  the  RA  may  not  generate  adequate 
separation;  if  the  pilot  visually  acquires  the  threat,  it  is 
assumed  he  can  determine  that  this  is  the  case  and  take  an 
alternate  action  in  all  but  VMIR  of  the  encounters. 

The  probabilities  listed  in  Figure  7-6  are  derived  from  Table 
7-2.  Those  requiring  derivation  are  described  as  follows: 

•  A  failure  to  display  the  RA,  given  there  was  no 

preceding  TA,  can  arise  as  follows:  (1)  the  threat 
had  no  Mode  C  transponder;  or  (2)  poor  surveillance 
throughout  the  encounter.  We  know  the  probability 
over  all  encounters  of  these  two  occurrences.  The 
probability  of  encountering  a  non-transponder 
aircraft,  from  l.a.  in  Table  7-2,  is  .39.  (This  is 
the  principal  failure  mode  for  TCAS  in  today's 
environment.)  The  probability  of  surveillance  not 
acquiring  the  threat  in  time  for  the  TA  is  .06,  and  In 
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time  for  the  RA,  .03;  the  .03  is  contained  in  the  .06 
(the  two  are  not  independent),  so  the  probability  of 
no  TA  and  no  RA,  due  to  surveillance,  is  .06  -  .03  - 
.03.  The  set  union  of  these  two  occurrences  provides 
the  failure  rate  for  the  scenario  wherein  neither  a  TA 
nor  RA  is  received,  .41.  (The  failure  rate  for  no  RA 
given  no  TA,  .953,  is  provided  for  completeness.) 

•  The  probability  of  visually  acquiring  an  aircraft  by 
15  seconds  prior  to  CPA,  given  that  you  have  not 
acquired  it  by  the  time  of  the  RA,  is  .51;  this  is 
obtained  by  noting  that  the  probability  of  failing  to 
acquire  by  15  seconds  prior  to  CPA  is  (1-.51)  x  .35  or 
.17,  which  matches  the  result  3. a.  in  Table  7-2. 

•  Given  that  you  have  received  a  TA,  you  will  receive  an 
RA  with  probability  1.0;  it  will  be  inadequate  to 
avoid  the  NMAC  with  probability  .011,  because  of 
altimetry  error. 

We  can  summarize  the  failure  regions  of  Figure  7-6  which  do  not 
include  human  factors  as  follows: 

•  Encounters  in  which  neither  TA  nor  RA  4s  received. 

This  failure  is  primarily  caused  by  lack  of  mode  C 
equipage  levels,  and  is  the  principal  failure  mode  for 
TCAS.  (Probability:  .41) 

•  Bright  daylight  encounters  in  which  a  TA  is  received, 
visual  acquisition  does  not  occur  and  an  inadequate  RA 
is  generated.  (Probability:  .0008) 


•  Encounters  in  which  a  TA  is  received,  visual 
acquisition  is  not  possible,  and  an  inadequate  RA  is 
received.  (Probability:  .002) 

•  Encounters  in  which  a  TA  is  not  received  prior  to  the 
RA,  an  RA  is  generated,  but  it  is  inadequate  to  avoid 
the  NMAC.  (Probability:  .0004) 

In  addition,  there  are  failure  regions  of  Figure  7-6  which 
relate  to  human  factors  as  follows: 

•  Bright  daylight  encounters  in  which  a  TA  is  received 
and  visual  acquisition  does  occur  before  the  RA,  but 
the  pilot  fails  to  avoid  the  critical  NMAC  with 
probability  VNA  +  TNA.  (Probability:  .259(VNA  +  TNA) ) 

•  Bright  daylight  encounters  in  which  a  TA  is  received 
visual  acquisition  does  not  occur,  an  RA  is  generated, 
but  the  pilot  fails  to  follow  the  RA  with  probability 
RNF.  (Probability  =  .138  RNF) 

•  Bright  daylight  encounters  in  which  a  TA  is  received, 
visual  acquisition  occurs  but  not  before  the  RA  is 
issued.  An  inadequate  RA  is  issued,  and  the  pilot 
acquires  the  threat,  but  does  not  determine  the  RA  to 
be  inadequate  with  probability  VMIR.  (Probability 
.0008  VMIR) 

•  Encounters  in  which  a  TA  is  received,  visual 
acquisition  is  not  possible,  and  the  pilot  does  not 
follow  the  RA  with  probability  RNF.  (Probability  .169 


•  Encounters  in  which  no  TA  is  received,  an  RA  is 
received  but  is  not  followed  with  probability  RNF . 
(Probability  =  .020  RNF) 

The  total  failure  rate  for  event  3-300  is  thus  .413  +  .259  (VNA 
+  TNA)  +  .327  (RNF)  +  .0008  (VMIR);  this  becomes  the  failure 
rate  for  event  2-000,  an  unresolved  NMAC. 

7.3,2  Branch  500  of  the  Fault  Tree,  Induced  NMAC 
The  500  branch  of  the  fault  tree  is  the  combination  of  several 
cases  which  could  induce  an  NMAC,  some  of  which  TCAS  provides 
protection  against  and  some  of  which  TCAS  could  cause.  We  are 
going  to  neglect  those  cases  in  which  TCAS  provides  benefit,  as 
they  are  not  only  difficult  to  evaluate,  but  they  are  not 
frequent  occurrences.  We  will  instead  consider  only  the  cases 
wherein  TCAS  induces  a  near-midair  collision,  either  because  of 
a  Traffic  Advisory  or  because  of  a  Resolution  Advisory. 

7. 3. 2.1  Reduction  of  Branch  500 

The  reduced  500  branch  of  the  fault  tree,  Induced  NMAC,  is 
shown  In  Figure  7-7.  It  has  been  reduced  by  removing  the 
branches  for  non-TCAS  induced  NMACs,  as  follows. 

Traffic  Advisories- Induced  NMAC 
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is  represented  by  event  7-767.  This  is  the  only  TCAS-related 
event  under  event  5-760  (Pilot  Evaluates  Situation  and  Selects 
Untimely  Maneuver) . 

The  probability  of  any  event  contained  in  branch  760  is 
affected  by  branch  780;  that  is,  the  TCAS  TA  indicating  that 
the  pilot  should  not  make  the  selected  maneuver.  In  this  case, 
however,  TCAS  Traffic  Advisory  is  not  likely  to  provide  an 
Indication  to  the  pilot  that  he  should  not  choose  that 
maneuver,  since  the  pilot  chose  the  maneuver  based  on  the  TA; 
we  thus  assign  a  failure  rate  of  1.0  to  event  5-780. 

The  only  other  circumstances  that  could  modify  this  probability 
rely  on  corrective  instructions  from  the  controller  or  from 
TCAS  (by  means  of  a  Resolution  Advisory)  (events  4-810  and 
4-900).  Though  noting  this  possibility,  we  will  assign  failure 
probabilities  of  1.0  to  events  4-810  and  4-900.  Thus,  the 
probability  that  the  pilot  uses  a  TA  to  maneuver  into  an  NMAC 
will  be  taken  as  the  probability  of  event  7-767  (TCAS  Provides 
a  TA  Indicating  a  Conflict  Which  the  Pilot  Uses  to  Maneuver 
Into  an  NMAC) . 


Resolution  Advisory-Induced  NMAC 

The  event  of  a  Resolution  Advisory-induced  NMAC,  event  6-670, 
is  the  only  TCAS-related  component  of  event  5-660.  The 
likelihood  that  this  will  lead  to  a  critical  NMAC  can  be 
modified  by  only  two  other  branches. 


The  first  branch  is  event  5-680  (Pilot  Follows  the  Instruction 
Because  He  Does  Not  See  It  Will  Lead  to  an  NMAC)  and  below. 
There  are  four  basic  factors  which  could  cause  the  pilot  to 
perceive  that  the  RA  is  incorrect.  Voice  communications  (event 
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7-705)  are  assumed  not  to  provide  any  reason  not  to  take  the 
RA,  and  thus  event  7-705  is  assigned  a  failure  rate  of  1.0. 
Given  that  an  RA  has  been  issued  which  will  lead  to  an  NMAC, 
the  TA  (event  7-715)  is  not  likely  to  indicate  anything  wrong 
with  it  and  is  assigned  a  failure  rate  of  1.0,  and  since  it  is 
an  RA  that  has  been  issued,  no  preventive  RA  is  going  to  be  in 
existence  (event  7-745),  so  we  assign  it  a  failure  rate  of  1.0. 

This  leaves  only  event  6-685,  visual  acquisition,  to  override 
any  incorrect  RA.  The  failure  rate  will  have  two  components; 
these  are  represented  by  event  7-686,  the  pilot's  failure  to 
acquire  the  threat,  and  event  7-696,  the  failure  to  avoid  the 
threat  once  the  pilot  has  acquired  it. 

The  one  remaining  branch  that  can  affect  the  probability  that 
the  RA  will  lead  to  an  NMAC  is  the  one  under  event  3-800,  which 
in  turn  is  composed  of  a  controller  branch  (event  4-810)  and  a 
TCAS  branch  (4-900).  The  controller's  effect  will  be  neglected 
and  assigned  a  failure  rate  of  1.0.  In  addition,  TCAS  effect 
will  also  be  neglected  and  assigned  the  1.0  failure  rate,  even 
though  it  includes  a  branch  that  measures  the  effect  of  an 
"advisory  not  O.K.”  This  means  that  the  probability  of  event 
4-650,  Pilot  Maneuvers  Aircraft  Because  of  Instruction  Provided 
to  Him  (the  instruction  in  this  case  being  an  incorrect  RA),  is 
the  probability  that  an  RA  leads  to  an  NMAC. 

7. 3. 2. 2  Evaluation  of  the  500  Branch 


The  probability  of  the  lower  level  events  have  been  calculated 
and  are  shown  in  Figure  7-7.  When  calculating  the  probability 
of  event  4-650,  one  must  take  Into  account  that  branches  5-660 
and  5-680  are  interdependent,  so  the  analysis  to  obtain  the 
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the  probability  of  event  4-650  must  be  done,  as  follows,  in  a 
mannner  similar  to  that  of  event  3-300  in  branch  000  of  the 
tree.  The  result  must  then  be  summed  to  the  probability  of 
event  7-767  to  obtain  the  probability  of  event  2-500  (induced 
NMAC) . 

Estimation  of  Event  4-650 

The  method  by  which  the  probability  of  event  4-650  was 
calculated  is  illustrated  in  Figure  7-8.  There  are  two 
probabilities  assigned  to  the  scenarios  from  Table  7-2  which 
are  derived  as  follows: 

•  The  occurrence  of  an  encounter  in  which  an  incorrect 
RA  (one  that  would  induce  a  critical  NMAC  if  followed) 
is  received  is  the  set  union  of  the  events  associated 
with  failure  rates  6. a,  6.b.,  and  6.c.  from  Table 
7-2.  No  other  source  is  judged  to  be  significant. 

(See  Appendix  E  for  logic  verification  and  Section 
5.3,  equipment  reliability).  Recall  from  Sections 
4.1.5,  4.2.4,  and  5.2.4  that  the  probabilities  of 
these  occurrences  were  higher;  however,  those  analyses 
assumed  an  encounter  between  two  Mode  C  aircraft  and 
that  surveillance  had  acquired  the  aircraft.  Thus,  to 
obtain  the  probability  that  an  induced  NMAC  occurs  in 
the  TCAS  environment,  we  must  multiply  the 
probabilities  from  those  analyses  by  the  probability 
of  encountering  a  Mode  C  aircraft  (.61),  and  by  the 
probability  of  surveillance  acquiring  the  other 
aircraft  (.97)  to  obtain  the  probabilities  shown  in 
Table  7-2. 
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BABILITY  OF  EVENT  4-650 


•  The  probability  a  TA  was  received.  Since  an  RA  was 
received,  this  is  a  conditional  probability  of 
receiving  a  TA,  given  the  existence  of  an  RA.  This 
probability  is  .97  and  is  obtained  as  follows:  there 
is  only  one  failure  mechanism  by  which  one  can  receive 
an  RA  without  having  received  the  TA  on  time  — 
surveillance  failure  causing  the  TA  not  to  be  received 
on  time,  but  no  surveillance  failure  at  the  time  of 
the  RA.  Thus,  we  divide  the  success  rate  for  a  timely 
TA,  .94,  by  the  success  rate  for  a  timely  RA,  .97,  to 
obtain  the  success  rate  for  a  TA  given  the  existence 
of  an  RA,  or  .97. 

The  failure  scenarios  for  this  event  with  their  associated 
probabilities  are: 

•  Encounters  in  which  visual  acquisition  occurs  but  the 
pilot  does  not  see  that  the  RA  is  incorrect  with 
probability  VMIR.  (Probability:  .014  VMIR) 

•  Encounters  in  which  a  TA  is  received  and  visual 
acquisition  Is  possible,  but  falls  to  occur. 
(Probability  .0029) 

•  Encounters  in  which  a  TA  is  received,  but  visual 
acquisition  is  not  possible.  (Probability:  .0073) 

•  Encounters  in  which  a  TA  is  not  received. 

(Probability:  0.0008) 

The  sum  of  these  probabilities,  .011  +  .014  VMIR,  is  the 
probability  that  the  pilot  will  follow  an  incorrect  RA. 


Estimation  of  Event  7-767 

The  probability  that  a  Traffic  Advisory  induces  an  NMAC  is  the 
probability  of  the  joint  occurrence  of  three  events:  That  a  TA 
is  displayed,  that  the  pilot  maneuvers  on  the  basis  of  that  TA, 
and  that  the  maneuver  induces  an  NMAC.  The  derivation  of  each 
probability,  as  listed  in  the  tree  in  Figure  7-7,  is  as  follows 

•  Pilot  Decides  to  Maneuver  Based  on  a  TCAS  TA  Only 
(event  8-768).  This  has  been  assigned  the  Variable 
TI,  which  was  described  earlier. 

•  TCAS  Displays  a  Traffic  Advisory  (event  8-769).  If 
every  aircraft  were  Mode-C  equipped  and  surveillance 
had  a  100%  acquisition  rate,  TCAS  would  display  a  TA 
on  every  proximate  aircraft.  The  number  of  proximate 
aircraft  is  approximately  10  times  the  number  of 
current  NMACs;  however,  since  only  61  percent  of  these 
proximate  aircraft  will  be  Mode-C  equipped  and 
surveillance  will  only  acquire  97  percent  of  them,  the 
number  of  TAs  displayed  for  these  aircraft  will  be 

.61  x  .97  x  10  or  5.9,  as  shown  above  event  8-769. 

The  significance  of  this  is  that  a  number  of  proximate 
encounters  equal  to  5.9  times  the  number  of  NMACs  in 
today's  environment  will  display  a  TA  that  could  lead 
to  an  induced  NMAC,  if  all  conditions  were  unfavorable, 

•  Pilot  Selects  an  Inappropriate  Maneuver  Based  on  the 
TCAS  TA  Display  (event  8-771).  We  have  assumed  a 
random  model  of  pilot  maneuvers  in  the  vertical 


dimension,  which  does  not  utilize  any  of  the 
information  presented  in  the  TA  display  and  which 
totally  neglects  any  information  obtained  by  visual 
acquisition  and/or  a  Resolution  Advisory.  We  will 
assume  that,  on  receipt  of  the  TA,  the  pilot  maneuvers 
to  another  altitude  within  +  1000  feet  of  his  original 
altitude.  As  proximate  encounters  are  uniformly 
distributed  in  the  vertical  dimension,  there  is  a  0.1 
probability  that  the  intruder  passes  within  +  100  feet 
of  the  altitude  the  pilot  maneuvers  to  ((100  feet 
above  +  100  feet  below)/(1000  feet  above  +  1000  feet 
below) ) . 

These  three  probabilities  multiply  to  produce  the  probability 
(.59  TI)  that  a  vertical  maneuver  by  the  pilot  based  on  the  TA 
induces  an  NMAC.  This  result  is  conservative  in  several 
respects:  1)  it  assumes  the  pilot  does  not  make  a  horizontal 
maneuver  which  could  avoid  the  NMAC;  2)  it  assumes  that  the 
pilot  does  not  use  correct  information  provided  to  make  a  safe 
maneuver,  but  instead  moves  in  a  random  manner. 

This  probability  is  summed  with  the  probability  of  event  4-650 
to  obtain  the  probability  of  event  3-600.  Since  we  assumed  the 
probability  of  event  3-800  to  be  1.0,  the  sum  carries  to  the 
top  of  the  tree.  The  probability  of  event  2-500  is  thus  .011  + 
.014  VMIR  +  .59  TI. 


7.4  Summary  of  Results 


The  probabilities  calculated  for  events  2-000  and  2-500  are 
brought  forward  in  Figure  7-9.  As  these  two  events  are 
mutually  exclusive,  we  can  sum  the  two  probabilities  to  obtain 


FIGURE  7-9 

CALCULATION  OF  THE  PROBABILITY  OF  TOP  EVENT 


the  probability  of  a  critical  near  midair  collision,  which  is 
.424  plus  a  residual  composed  of  human  factors  failures. 

Aside  from  the  human  factors  components,  one  result  stands 
out:  of  the  .424  probability,  approximately  .39  is  the 
probability  that  an  NMAC  encounter  already  occurring  is  with  an 
aircraft  without  a  Mode  C  transponder  and  represents  the  area 
in  which  the  greatest  improvement  can  be  obtained.  Of  the 
remaining  .034  (.424  -  .39),  .02  is  due  to  surveillance 
failure.  The  balance,  .014  (an  order  of  magnitude  lower  than 
that  due  to  transponder  non-equipage),  is  composed  of  altimetry 
errors  and  the  maneuvering  intruder  hazard. 


SENSITIVITY  ANALYSIS 

The  analysis  of  Section  7  used  the  best  estimates  based  on 
available  data  for  transponder  equipage,  surveillance  failure, 
altimetry  error,  and  the  likelihood  of  a  sudden  intruder 
maneuver.  It  assumed  that  visual  acquisition  allowed  the  pilot 
to  separate  himself  from  the  threat  and  that  the  RA  was 
followed  under  all  non-visual  conditions.  This  section 
discusses  the  sensitivity  of  the  results  to  each  of  those 
assumptions. 

8.1  Error  Rates  and  Assumptions  Analyzed 

Sensitivity  of  five  basic  system  fault  probabilities  was  tested 
in  this  analysis:  Mode  C  equipage,  surveillance  failure, 
altimetry  error,  maneuvering  intruder  hazard,  and  human 
factors.  To  test  the  change  in  the  probability  of  events  2-000 
and  2-500  (and  thus  the  top  event)  corresponding  to  changes  in 
failure  rates  of  these  elements,  the  failure  rates  were  varied 
between  bounds  judged  appropriate  for  each  element,  as  follows: 

•  Equipage:  The  nominal  probability  for  an  encounter 
with  a  Mode  C  aircraft  is  .61.  To  test  the  effect  of 
this  factor,  the  calculations  were  also  run  assuming 
all  aircraft  Mode  C  equipped. 

•  Surveillance:  The  nominal  surveillance  track 
probability  is  .94  for  a  TA  and  .97  for  an  RA.  This 
quantity  was  explored  by  alternatively  improving 
surveillance  by  a  factor  of  three  and  degrading  it  by 
a  factor  of  about  two  (e.g.,  probability  of  receiving 


•  Altimetry  error.  The  only  significant  component  is 
that  ascribed  to  general  aviation  aircraft 
(uncorrected  static  error).  The  nominal  errors 
(standard  deviation)  are  given  in  Table  4-2. 
Sensitivity  to  this  parameter  was  tested  both  by 
varying  it  plus  and  minus  20  percent;  and  by  changing 
the  form  of  the  distribution  from  Gaussian  to 
exponential. 

•  Maneuvering  Intruder  Hazard:  The  overall  probability 
of  encountering  an  intruder  that  would  start 
maneuvering  in  such  a  manner  and  at  just  the  time  to 
"fake  out"  the  TCAS  and  cause  an  NMAC  was  estimated 
from  airborne  data.  The  sensitivity  to  this  factor 
was  explored  by  changing  the  maneuver  probability  by 
50  percent,  both  higher  and  lower. 

•  Human  Factors.  In  the  nominal  case,  no  pilot  failure 
modes  were  accounted  for,  although  five  were 
identified.  To  give  some  indication  of  the  effect  of 
these  failure  modes,  they  were  permitted  to  fail  at 
the  rate  of  1  in  20. 

Also,  three  basic  assumptions  were  made  in  the  nominal 
estimate:  TAs  were  not  given  on  aircraft  that  are  transponder 
equipped,  but  which  do  not  report  Mode  C;  visual  acquisition, 
as  enhanced  by  the  TCAS,  is  used  to  provide  separation,  and  RAs 
are  followed  in  instrument  meteorological  conditions  (IMC). 

The  sensitivity  analysis  tests  the  opposing  assumptions:  that 
TAs  are  given  on  non-Mode  C  aircraft,  that  enhanced  visual 
acquisition  is  completely  ineffective  (e.g.  no  TA  display),  and 
that  RAs  are  not  followed  in  IMC. 

8-2 


-M  -a  . 


In  the  analysis  that  follows,  each  of  these  variations  is 
assessed  individually.  The  relevant  probabilities  are  changed, 
and  the  analysis  shown  in  Section  7  is  repeated  to  obtain  new 
probabilities  for  the  top  events.  The  resulting  probabilities 
and  their  impacts  on  the  calculations  are  described. 

8.2  Changes  in  Individual  Failure  Probabilities 
Table  8-1  describes  the  parameters  which  were  varied 
individually  in  the  fault  tree  to  analyze  these  scenarios;  it 
is  a  modification  of  Table  7-2,  Column  1  lists  the  events  that 
the  parameter  affects;  the  number  or  letter  listed  refers  to 
the  event  listed  in  Table  7-2.  Column  3  lists  the  value  of 
this  probability  used  in  the  nominal  analysis  of  Section  7; 
column  4  lists  the  changed  probabilities  to  be  analyzed. 

In  the  surveillance  failure  case,  failure  rates  l.b.  and  4.b. 
from  Table  7-2  change  at  the  same  time;  in  the  altimetry  error 
case,  both  5. a.  and  6. a.  change;  and  in  the  case  of  visual 
acquisition  not  effective,  failure  rates  for  acquisition  by  the 
time  of  the  RA  and  by  15  seconds  prior  to  CPA  both  become  unity 

Note  in  the  case  of  altimetry,  we  did  not  vary  the  failure  rate 
itself  but  instead  the  cause  of  the  failure  rate,  altimetry 
error.  A  20  percent  larger  altimetry  error  produced  more  than 
double  the  failure  rate  for  inadequate  RAs  and  RAs  which 
induced  an  NMAC;  a  20  percent  lower  altimetry  error  lowered  the 
failure  rate  to  less  than  half  its  nominal  value.  Using  the 
nominal  altimetry  error  and  changing  the  distribution  from 
Gaussian  to  exponential,  as  noted  in  Section  4. 2. 4. 2,  produced 
the  changed  input  probabilities  listed  in  Table  8-1. 


TABLE  8-1 

CHANGES  IN  FAULT  TREE  INPUT  PROBABILITIES 


PARAMETER 


1.  Mode  C  equipage 


2.  Surveillance 
failures 


3.  Altimetry  error 
magnitude 


4.  Altimetry  error 
distribution 


5.  Maneuvering 
intruder  hazard 

6.  Human  factors 
failures 


7.  Non-Mode  C 
tracking 


8.  Visual 

Acquisition 

Ineffective 


9.  Do  not  follow 
RA  in  IMC 


EVENT 

(Table  7-2) 


1.)  No  TA  is  displayed 

l.a.)  Encounter  with  a  non- 

Mode  C-equipped  aircraft 
4.)  No  RA  is  displayed 

4. a.)  Encounter  with  a  non- 

Mode  C-equipped  aircraft 

l.b.)  Surveillance  does  not 
acquire  threat  in  time 
for  TA 

4. b. )  Surveillance  does  not 

acquire  threat  in  time 
for  RA 

5.  a.)  Inadequate  RA  is 

displayed 

6.  a.)  RA  is  displayed  which 

will  lead  to  NMAC* 

5.  a.)  Inadequate  RA  is 

displayed 

6.  a.)  RA  is  displayed  which 

will  lead  to  NMAC* 

b.b.)  RA  is  displayed  which 
will  lead  to  NMAC* 

Inappropriate  pilot  reaction 
(per  decision/encounter) 


1.)  No  TA  is  displayed 

l.a)  Encounter  is  with 

non-transponder  aircraft 

3.)  Pilot  does  not  visually 
acquire  aircraft  (in  good 
VMC  with  TA  as  aid) 

3. a.)  In  time  to  avoid  NMAC 
(15  sec.  prior  to  CPA) 
3.b.)  Prior  to  RA 

(No  probability  Involved;  16 
percent  of  RAs  issued  not  used.) 


NOMINAL 
PROBABILITY 
(Section  7) 


SENSITIVITY 

VALUES 


06 

.10 

.02  1 

03 

.06 

.01  | 

Oil 

.027 

.0041  | 

0081 

.022 

.0024  | 

Oil 

.023 

0081 

.018 

016 

.024, 

.008  | 

0 

.05  | 

43 

.14 

39 

.08 

17 

1.0 

35 

1.0 

*  Assumes  61%  of  encounters  with  Mode  C-equipped  aircraft, 
97%  surveillance  acqusitlon  rate. 
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8.3  Changes  In  Overall  Failure  Probabilities 
The  resulting  changes  in  probability  for  events  2-000,  2-500 
and  the  top  event  are  listed  in  Table  8-2.  They  are  graphed  in 
Figure  8-1  on  a  logarithmic  scale  to  show  the  small  changes  in 
magnitude  for  event  2-500  more  clearly.  The  lines  across  the 
bars  represent  the  nominal  probability  of  each  event.  It 
should  be  noted  that  a  change  in  probability  of  event  2-000  is 
accompanied  by  a  corresponding  change  in  the  probability  of 
event  2-500  in  most  cases.  For  example,  higher  Mode  C  equipage 
results  in  a  much  lower  probability  of  an  unresolved  NMAC  but  a 
higher  probability  of  an  induced  NMAC. 

Surveillance  failure  has  little  effect  on  the  probability  of 
both  unresolved  and  induced  NMACs.  Altimetry  error  and 
maneuvering  intruder  hazards  have  no  discernable  impact  on 
unresolved  NMACs,  but  induced  NMACs  are  sensitive  to  these 
factors.  If,  instead  of  the  Gaussian  error  model,  an 
exponential  error  model  is  assumed  and  the  failure  probabil¬ 
ities  are  calculated,  the  effect  is  similar  to  using  the 
Gaussian  model  with  about  a  15  percent  increase  in  nominal 
error. 

If  TAs  were  to  be  provided  on  non-Mode  C  aircraft,  there  would 
be  a  significant  reduction  in  the  unresolved  NMACs  without  an 
increase  in  induced  NMACs. 

Improved  visual  acquisition,  arising  from  the  presentation  of 
TAs,  has  little  effect  on  unresolved  NMACs.  This  is  due  to  the 
fact  that  since  only  Mode  C  aircraft  are  tracked,  there  is  high 
probability  of  getting  an  RA,  given  the  TA;  the  effect  of  visual 
acquisition  is  to  correct  inadequate  RAs,  which  are  infrequent. 
For  induced  NMACs,  the  benefit  of  improved  visual  acquisition 


PROBABILITY  OF 


TOP  EVENT  I 


Nominal  Case 
If  100%  Mode  C 

If  surveillance  failure  is  1/3 

2x 

If  GA  altimetry  if  20%  improved 

worse 

If  GA  altimetry  error  distribution 
exponential 

If  the  maneuvering  intruder  hazard 
is  50%  less  likely 

more  likely 

If  human  factors  failures  are  .05 
If  TAs  are  given  for  non-Mode  C 
If  visual  acquisition  ineffective 
If  RAs  not  followed  in  IMC 


EVENT  000 
(UNRESOLVED  NMAC) 

EVENT  500 
INDUCED  NMAC 

.413 

.011 

.035 

.018 

.399 

.011 

.430 

.011 

.411 

.008 

.417 

.017 

.416 

.015 

.413 

.008 

.413 

.014 

.442 

.042 

.238 

.011 

.416 

.025 

.507 

.007 

•SSI 


can  be  seen  by  observing  that  without  any  TAs  (visual 
acquisition  ineffective)  that  portion  of  the  failure  rate 
approximately  doubles. 

By  not  following  RAs  in  IMC,  we  can  avert  a  substantial  number 
of  induced  NMACs  as  shown  by  the  bar  on  the  right  side  of  Figure 
8-1;  however,  this  also  increases  the  number  of  unresolved  NMACs 

8.4  Human  Factors 

To  obtain  some  indication  of  the  effect  of  human  factors  failure 
modes,  a  conservative  failure  rate  of  .05  (1  failure  every  20 
situations  in  which  the  potential  for  failure  exists)  was  used. 
The  individual  failures  have  been  broken  down  into  their  five 
components  (VNA,  TNA,  RNF,  VMIR,  and  TI)  and  graphed  in  Figure 
8-2,  using  the  same  scale  as  Figure  8-1. 

It  can  be  seen  from  the  graph  that  human  factors  has  little 
impact  on  the  unresolved  component  of  the  failure  rate,  which  is 
only  slightly  sensitive  to  VNA  (intruder  was  visually  acquired 
but  NMAC  not  avoided),  TNA  (TA  misleads  the  pilot  into 
disregarding  visual  acquisition  or  a  correct  RA),  and  RNF  (RA 
not  followed).  The  unresolved  component  is  very  insensitive  to 
VMIR  (Maneuver  on  an  incorrect  RA  in  spite  of  visual  acquisition 
indications)  because  the  opportunity  to  make  this  error  is 
infrequent  (.08%  of  all  NMAC  encounters).  TI  (use  of  the 
Traffic  Advisory,  inducing  an  NMAC  )  does  not  apply  to  the 
unresolved  component. 

As  for  the  induced  component,  it  can  be  seen  that  the  potential 
exists  for  a  significant  number  of  failures  by  use  of  the 
Traffic  Advisory  to  make  an  incorrect  maneuver  which  induces  an 
NMAC.  It  should  be  noted,  however,  that  this  may  be  an  over¬ 
estimate  for  the  following  reasons: 


Risk  Ratio  (log  scale) 


Note 


RNF  :  Resolution  Advisory  Not  Followed 
VMIR:  Visual  acquisition,  but  pilot  still 
Maneuvers  on  an  Incorrect  RA 
TI  :  Pilot  maneuvers  based  on  TA,  Inducing 
an  NMAC 

:  Assumed  failure  rate  for  each  factor  is  .05; 
for  all  factors  at  once  they  are  also  .05. 


FIGURE  8-2 

INFLUENCE  OF  HUMAN  FACTORS  ON  OVERALL  SYSTEM  PERFORMANCE 


1.  Pilot  training  should  reduce  the  use  of  the  TA  for 
purposes  other  than  as  an  aid  to  visual  acquisition. 

2.  If  the  TA  is  used  for  maneuvering,  we  assumed  the 
following  conservative  conditions: 

a.  Visual  acquisition  is  not  attempted  or  is  not 
possible 

b.  If  the  display  is  accurate,  the  pilot  must  interpret 
it  adversely,  and  disregard  any  ensuing  RA 
(actually,  a  chain  of  concurrent  probabilities). 

As  can  be  seen  in  Figure  8-2,  the  induced  component  of  the 
failure  rate  is  not  sensitive  to  the  other  factors  (VMIR,  RNF, 
TNA,  or  VNA) . 

If  all  five  factors  were  to  fail  independently  at  the  rate  of  1 
In  20,  the  relative  probability  of  an  NMAC  would  be  48.4 
percent,  with  the  unresolved  component  being  44.2  percent  and 
the  induced  component  being  4.2  percent  as  was  listed  in  Table 
8-2. 
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FINDINGS 

Reviewing  the  approach  used  in  this  study,  a  term  called  Risk 
Ratio  was  defined  and  computed  using  real-world  data.  This 
factor  is  the  risk  of  encountering  a  critical  near  midair 
collision  (NMAC)  when  equipped  with  TCAS,  relative  to  the  risk 
when  not  so  equipped.  Using  the  NMAC  as  a  defined  failure 
condition  provides  a  quantitative  measure  for  calculations; 
using  the  Risk  Ratio  places  the  calculations  of  System  Safety 
on  a  direct  comparative  basis. 

The  basic  philosphy  is  to  make  the  assessment  realistic,  but 
conservative.  In  particular,  no  credit  was  assumed  for  the 
following : 

•  Visual  acquisition  in  less  than  bright  daylight 
conditions 

•  The  "Advisory  Not  OK"  feature 

•  Aircraft  leveling  out  gradually  instead  of  abruptly 

•  The  Resolution  Advisory  preventing  an  incorrect 
maneuver,  or  correcting  one  that  may  have  been 
prematurely  taken  on  a  Traffic  Advisory 

The  data  and  analyses  brought  to  focus  in  this  study  disclose 
the  following  findings  relative  to  the  Risk  Ratio. 
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Under  a  nominal  set  of  baseline  conditions  this  ratio 
is  about  42  percent.  Figure  9-1  shows  this,  with  the 
first  bar  (100  percent)  as  the  pre-existing  risk  of 
encountering  an  NMAC  without  TCAS;  the  second  bar 
(Risk  Ratio  is  42  percent)  is  the  risk  of  encountering 
an  NMAC  with  TCAS  under  the  nominal  conditions.  Most 
of  this  residue  is  attributable  to  the  lack  of  com¬ 
plete  equipage  with  altitude  reporting  transponders. 

If  the  capability  to  track  all  non-Mode  C  aircraft  and 
display  an  "altitude  unknown"  Traffic  Advisory  were 
added  to  the  nominal  system,  a  major  reduction  in  the 
unresolved  component  of  the  Risk  Ratio  would  be 
obtained;  the  residue  would  decrease  to  about  25 
percent,  as  shown  in  the  third  bar  of  Figure  9-1. 

This  is  caused  by  the  improved  visual  acquisition  that 
would  result  for  those  aircraft  that  are  on  a  near 
collision  course. 

The  greatest  payoff,  however,  in  reducing  the  risk  of 
NMACs  would  be  to  increase  the  fraction  of  aircraft 
having  altitude  reporting  transponders.  Statistics  on 
avionics  show  the  trend  to  be  in  that  direction.  If 
all  aircraft  were  equipped  with  altituding  reporting 
transponders,  the  Risk  Ratio  would  decrease  to  5 
percent  (the  fourth  bar  of  Figure  9-1),  two  thirds  of 
which  is  attributable  to  surveillance  limitations;  the 
remainder  is  attributable  to  maneuvering  intruders  and 
to  altimetry  error. 


II* 


100  No  TCAS  (Reference  Condition) 


FIGURE  9-1 

RELATIVE  TCAS  EFFECTS 


Most  of  the  residue  under  nominal  conditions  is  caused 
by  an  inability  to  avoid  an  NMAC  that  would  have 
occurred  even  without  TCAS  (the  unresolved  component 
of  Risk  Ratio).  Under  certain  conditions,  however, 
the  system  itself  can  induce  an  NMAC  (the  induced 
component  of  Risk  Ratio).  The  risk  of  that  occurring 
for  the  nominal  conditions  is  about  one  percent  of  the 
risk  of  encountering  an  NMAC  without  TCAS  (shaded 
parts  of  the  bars  in  Figure  9-1;  see  also  Table  9-1). 
The  primary  cause  for  these  failures  are  altimetry 
errors  and  sudden  maneuvers  by  the  intruder. 

If  the  standard  deviation  (Gaussian  distribution)  of 
general  aviation  altimetry  error  were  to  be  20  percent 
larger  than  estimated,  the  induced  component  of  Risk 
Ratio  would  increase  to  about  1.7  percent.  While  this 
component  is  small  relative  to  the  unresolved 
component,  and  the  overall  effect  on  Risk  Ratio  is 
small,  the  minimization  of  induced  NMACs  is  in  Itself 
a  major  TCAS  objective.  If  the  assumed  error 
distribution  were  characterized  by  the  heavy  tailed 
symmetrical-exponential  distribution  instead  of  the 
Gaussian,  the  nominal  induced  component  of  Risk  Ratio 
would  be  1.5  percent  —  somewhat  larger  than  before 
but  similar  in  effect. 

The  contribution  of  altimetry  error  to  the  total 
overall  Risk  Ratio  is  dominated  by  the  GA  errors;  the 
hazard  caused  by  air  carrier  errors  is  at  least  an 
order  of  magnitude  lower.  A  reduction  of  the  GA 
altimetry  error  provides  more  than  proportionate 
reduction  in  the  induced  component  of  the  Risk  Ratio. 


The  risk  of  two  air  carriers,  both  equipped  with  TCAS, 
having  an  NMAC  is  several  orders  of  magnitude  less 
than  without  TCAS;  altimetry  is  corrected,  maneuvers 
are  coordinated,  and  both  aircraft  have  surveillance. 

TCAS  is  susceptible  to  being  thwarted,  in  certain 
cases,  by  an  intruder  making  a  sudden  vertical 
maneuver.  The  situation  of  most  concern  is  one  in 
which  an  intruder  with  a  substantial  vertical  rate 
approaches  a  level  TCAS  aircraft  so  as  to  project  a 
crossing  through  its  altitude.  A  vertical  escape 
initiated  by  the  TCAS  aircraft  could  be  thwarted 
("faked  out")  if  the  intruder  were  suddenly  to  level 
off  at  a  critical  time  and  altitude.  The  study  used 
actual  aircraft  data  from  Piedmont  flights  and  from 
FAA  flights  to  estimate  the  contribution  of  this 
factor  to  overall  Risk  Ratio.  A  50  percent  increase 
in  the  probability  of  a  fakeout  maneuver  will  cause  a 
nearly  proportionate  increase  in  the  induced  component 
(increases  the  induced  component  of  Risk  Ratio  from 
1.1  percent  to  1.4  percent). 

The  nominal  performance  of  surveillance  quality  was 
estimated  from  live  track  data  in  many  regions  of 
airspace.  If  the  missed  track  rate  were  to  decrease 
from  its  nominal  rate  of  three  percent  to  one  percent, 
a  small  improvement  in  the  unresolved  component  of 
Risk  Ratio  would  be  obtained;  the  induced  component  is 
essentially  unaffected. 


5.  A  Traffic  Advisory  is  displayed  on  an  intruder 
approximately  15  seconds  before  the  Resolution 
Advisory  is  posted.  This  precursor  is  intended  to 
alert  the  pilot  to  start  a  visual  search  for  an 
aircraft  that  may  be  of  concern.  If  visual 
acquisition  is  obtained,  an  incorrect  Resolution 
Advisory,  such  as  from  altimetry  error,  can  be 
overriden  by  the  pilot.  This  aided  acquisition 
reduces  the  induced  component  of  Risk  Ratio  by  more 
than  half.  Very  little  effect  occurs  for  the 
unresolved  component,  as  a  Resolution  Advisory  almost 
always  occurs  if  a  Traffic  Advisory  is  present. 

6.  If  TCAS  is  not  used  in  IMC,  which  constitutes  roughly 
16  percent  of  the  NMACs,  the  unresolved  component 
would  correspondingly  increase,  and  the  induced 
component  would  correspondingly  decrease. 

7.  The  probability  of  encountering  an  NMAC  in  today’s 
environment,  in  the  absence  of  TCAS,  is  approximately 
once  in  100,000  hours  of  flight.  Four  quite  different 
approaches  to  obtaining  this  estimate  were  used,  and 
they  were  all  within  4:1  of  this  value. 

8.  Five  pilot  failure  modes  (human  factors)  were 
postulated  and  their  relative  impact  parametrically 
assessed.  The  most  severe  failure  postulated  (TI)  is 
one  in  which  the  pilot  used  the  Traffic  Advisory  for 
maneuvering  rather  than  for  visual  acquisition,  made 
an  inappropriate  maneuver,  and  disregarded  any 


subsequent  Resolution  Advisory.  The  second  most 
severe  human  factor  failure  is  one  in  which  the 
Resolution  Advisory  is  simply  not  followed. 

If  all  five  human  factor  failures  were  to  fail 
independently  at  the  rate  of  1  in  20,  the  Risk  Ratio 
would  be  about  48  percent,  with  the  induced  component 
accounting  for  4.2  percent. 


10.  CONCLUSIONS  AND  RECOMMENDATIONS 


Operational  Implications 

Operational  discipline  for  the  use  of  TCAS  will  vary 
depending  on  many  factors.  However,  it  was  found  that:  1) 
visual  acquisition,  as  aided  by  the  Traffic  Advisory 
display,  can  play  an  important  role  both  in  improving 
see-and-avoid  and  in  minimizing  the  effects  that  would 
induce  critical  NMACs,  (2)  alertness  remains  necessary  in 
visual  conditions  both  to  protect  against  aircraft  not 
equipped  with  transponders  and,  to  a  much  lesser  extent,  to 
protect  against  equipped  aircraft  which  may  be  missed  by 
TCAS  surveillance. 

If  TCAS  is  not  used  in  IMC,  the  induced  component  of  NMACs 
would  decrease;  however,  the  larger  benefit  of  being  able 
to  resolve  NMACs  in  IMC  would  also  decrease. 

Training  Implications 

During  the  course  of  this  System  Safety  study,  several 
factors  that  should  be  addressed  in  a  training  and 
proficiency  program  became  apparent. 

1.  Traffic  Advisories  are  intended  to  aid  visual 
acquisition  and  to  prepare  the  pilot  should  a 
Resolution  Advisory  follow.  Premature  maneuvering 
based  on  the  Traffic  Advisory  alone  could  be  self 
defeating . 

n 

4. 


Prompt  reaction  when  a  Resolution  Advisory  is 
posted  is  important.  In  order  to  be  able  to 


maneuver  through  the  uncertainties  of  altimetry 
error,  a  displacement  on  the  order  of  400-500  ft 
may  be  necessary  (larger  at  high  altitudes).  A 
delayed  reaction  will  reduce  the  displacement 
achievable  in  the  available  time. 

3.  From  the  results  of  the  study  it  appears  that  the 
pilot  is  statistically  better  off  by  trusting  his 
instrument  than  by  not  trusting  it  —  the  ratio  of 
resolving  NMACs  to  inducing  them  is  23:1.  If,  in 
addition.  Traffic  Advisories  are  used  to  aid 
visual  acquisition,  this  ratio  increases  to  58:1. 

Equipment  Reliability  Implications 

The  type  of  equipment  failure  of  concern  for  this  study  io 

one  which  could  cause  an  NMAC.  If  one  occurs  which  does 

not  cause  the  performance  monitor  to  immediately  turn  off 
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TCAS,  it  should  be  at  the  rate  of  10  ,  or  less,  per  NMAC 

to  be  negligible  relative  to  other  causes.  The  performance 
monitor  therefore  needs  to  be  effective  in  detecting 
critical  sources  of  failure  in  the  elements  of  the  TCAS 
system. 

Program  Implications 

The  System  Safety  study  highlighted  several  recommended 
areas  that  the  TCAS  Program  might  emphasize  in  the  future. 


1.  Steps  should  be  initiated  to  confirm  applications 
of  TCAS  in  IMC.  A  determination  of  the  detailed 
nature  of  altimetry  and  of  maneuvering  intruders 


under  poor  visibility  conditions  should  be 
obtained  and  methods  explored  for  controlling  them. 

2.  Identify  steps  that  might  be  undertaken  to  remove 
out-of-tolerance  altimeters  from  the  system. 

3.  Develop  pilot  training  measures  to  specifically 
treat  human-factor  failure  modes  that  have  been 
identified.  Consider  means  to  verify  the 
effectiveness  of  such  steps. 


Changes  Required 

This  study  resulted  in  an  intensive  evaluation  of  all 
safety-related  parameters  and  procedures.  It  was  concluded 
that  an  increase  of  the  ALIM  parameter  at  low  altitudes 
appears  desirable.  This  would  decrease  the  effects  of 
altimetry  error  and  would  not  affect  the  alarm  rate 


significantly. 


10-3 


T 


APPENDIX  A 

LIST  OF  GOVERNMENT/ INDUSTRY  REVIEWERS 

The  following  list  of  individuals  participated  in  several  status 
reviews  held  during  the  course  of  the  System  Safety  study. 


Mr.  Barry  Billmann 

Federal  Aviation  Administration  Technical  Center 
Mr.  Thomas  A.  Choyce 

Federal  Aviation  Administration  Technical  Center 
Mr.  Adfred  L.  Adkins 

Federal  Aviation  Administration  Technical  Center 

Ms.  Wendie  F.  Chapman 
Federal  Aviation  Administration 

Mr.  Harold  W.  Becker 

Federal  Aviation  Administration 

Lt.  Col.  James  Williams  (DOD  liaison) 

Federal  Aviation  Administration 

Mr.  William  L.  Hyland 
Federal  Aviation  Administration 

Mr.  James  Treacy 

Federal  Aviation  Administration 

Mr.  Raymond  Stoer 

Federal  Aviation  Administration 

Mr.  Robert  Miller 

Federal  Aviation  Administration 

Mr.  Quentin  Smith 

Federal  Aviation  Administration 


J 


.V 


I.J. 


A-l 


Mr.  Ken  Peppard 

Federal  Aviation  Administration 
Mr.  David  West 

Federal  Aviation  Administration 
Col.  Wilfred  G.  Volkstadt 

United  States  Air  Force/Federal  Aviation  Administration 
Mr.  Richard  Bowers 

Air  Transport  Association  of  America 
Mr.  Ward  Baker 

Air  Line  Pilots  Association  International 
Mr.  Dennis  Wright 

Aircraft  Owners  &  Pilots  Association 
Mr.  J.C.  Snodgrass 

Aerospace  Industries  Association  of  America 

Mr.  Robert  Buley 
Republic  Airlines 

Mr.  Frank  C.  White 
Dalmo  Victor  Operations 

Mr.  Gilbert  F.  Quinby 
Consultant 

Captain  David  Simmon 
United  Airlines 

Mr.  George  Litchford 
Litchstreet 

Mr.  George  K.  Schwind 
United  Airlines 

Mr.  Burton  Hulland 
Hulland  Engineering 

Mr.  Harold  H.  Fink 
Aeronautical  Radio,  Incorporated 

Mr.  E.W.  Fretwell 

Air  Line  Pilots  Association  International 


Mr.  Arthur  D.  McComas 
Bendix 

Mr.  Ulf  Gustafsson 
United  Airlines 

Captain  Ray  Jones 
Delta  Airlines 

Mr.  Robert  D.  Force 

Boeing  Commercial  Airplane  Company 

Mr.  J.M.  Graham 
Douglas  Aircraft 

Dr.  E.W.  Holcomb 

Boeing  Commercial  Airplane  Company 


APPENDIX  B 

AN  ESTIMATION  OF  THE  PROBABILITY  OF  HORIZONTAL  MISS  DISTANCE, 

GIVEN  A  TCAS  ALARM 


It  is  of  Interest  to  estimate  the  probability  that  two  aircraft  will 
approach  within  a  given  horizontal  distance  after  a  TCAS  advisory 
(RA  or  TA)  is  posted.  The  following  analysis  employs  the  modified 
Tau  criterion  for  alarm  and  develops  a  simple  estimate  of  that 
probability  based  on  non-accelerating  flight;  it  is  abstracted  from 
several  notes  written  by  Joseph  J.  Fee. 

The  encounter  geometry  is  illustrated  in  Figure  B-l.  The  circle 
with  radius  S  represents  the  desired  separation  in  the  horizontal 
plane  at  the  closest  point  of  approach.  The  intruder  approaches 
with  relative  velocity  V,  having  a  radial  component  Vr  and  a 
tangential  component  V^.. 

The  necessary  condition  for  an  alarm  to  be  generated  is  that  the 
modified  TAU  criterion  must  be  met.  That  is, 

(R-R  ) 

TAU - _2_ 

r 

°r  (R-R) 

v  =  _ _ 

r  TAU  (B-l) 

where  Rq  ■  minimum  range  parameter 
R  ■  range  to  threat 
Vr  *  radial  velocity 

TAU  *  approximate  time  to  closest  approach 
The  sufficient  condition  for  alarm  initiation  follows  from  the 
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requirement  that  the  radial  velocity,  V  ,  be  both  negative  and 
decreasing  more  rapidly  than  the  alarm  threshold: 


dV  ,  (R  -  R) 

r  d  o 


dt  dt  TAU 


2  -  Vr 

V  =  W  R  =  - - 

r  TAU 


(since  R  “  V  at  alarm 
threshold)1 


where  W  =  Vt/R 


After  some  manipulation,  this  gives  a  constraint  on  the  magnitude  of 
the  relative  tangential  velocity: 


IVtl-|Vrl  (-W~>  <R>V 

o 


(B-2) 


in  addition  to  the  constraint  previously  imposed  on  the  radial 
velocity. 

For  a  specified  minimum  separation,  the  constraint  on  is  given 
by  the  geometry  requirement: 


y—  <_  tan  A 
r 


'V-'V  —^71/2 

(R  -  S^) 


(B-3) 


These  equations  can  be  utilized  in  computing  the  probability  of 
alarm  and  likelihood  of  approaching  within  separation  S,  by  assuming 
a  random  distribution  for  the  encounter  relative  velocity.  In  the 
following  development,  two  assumptions  are  made  with  respect  to  the 
randomness  of  encounter: 
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a.  The  TCAS  is  operating  in  steady  state  fashion,  i.e.,  the 
encounters  typically  occur  singly  and  at  the  minimum 
radial  relative  velocity  corresponding  to  the  range  at 
alarm  initiation. 

b.  The  relative  velocity  is  uniformly  distributed  in  bearing 
over  2tt  radians  and  in  magnitude  between  0  and  V 

max 

(from  Piedmont  data). 

The  computation  of  probability  is  illustrated  in  Figure  B-2: 

1.  For  each  range,  the  range  rate  is  computed  for  TAU  alarm. 

2.  The  probability  of  TAU  alarm  and  S  separation  as  a 
function  of  each  range  is  computed  over  an  incremental 
range  rate  (AVr).  This  is  shown  in  terms  of  the 
incremental  sector  areas  in  Figure  B-2,  where  the  circle 
represents  the  uniform  probability  distribution  of 
velocity  which  is  the  same  for  all  ranges 

3.  The  overall  probability  of  alarm  and  near  miss  is  computed 
by  integrating  over  all  ranges  between  Rq  and  (the 
mean  range  at  which  alarm  occurs  —  from  Piedmont  data) . 

4.  The  probability  of  an  intruder  coming  within  500  feet 
(laterally)  of  TCAS,  given  a  TAU  alarm  is  simply: 


Probability  of  Near  Miss 


shown  is  directly  proportional  to  the  ratio  of  angular  arcs 
corresponding  to  probability  of  near  miss  and  TAU  alarm, 
respectively.  For  a  given  radius  R,  greater  than  Rq,  equation  B-2 
implies  that  V  is  approximately  equal  to  V^,  from  which  it 
follows  that  TAU  alarms  will  be  given  for  relative  velocities  within 
approximately  +  45  degrees  of  a  head-on  encounter.  Similarly,  for  R 
greater  than  Rq,  equation  B-3  implies  that  the  angular  sector  in 
which  a  near  miss  can  occur  is  approximately  proportional  to: 


r 


and  decreases  as  R  increases. 

Using  R^  =  .3  nmi,  TAU  =  25s,  and  observing  from  the  Piedmont  data 
base  that  the  maximum  relative  velocity  was  857  knots,  one  can 
calculate  the  probability  of  a  near  miss  (less  than  500  ft),  given 
an  alarm,  by  using  the  procedure  depicted  in  Figure  B-2.  The  result 
is : 

ps|a  -  *028 
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APPENDIX  C 

PROBABILITY  OF  POTENTIAL  FAKE-OUT  MANEUVER 
FROM  FAA  FLIGHT  DATA 


In  Section  3.3  the  airspace  was  characterized  from  data  taken  by  FAA 
flights  of  TCAS  equipment.  This  Appendix  utilizes  that  data  to 
estimate  the  probability  of  a  fake-out  maneuver. 

The  factors  to  consider  in  determining  the  probability  of  a 
potential  fake-out  maneuver  are  vertical  separation  at  CPA, 
horizontal  separation  at  CPA,  vertical  rate  of  intruder  and 
probability  of  a  profile  change.  Table  C-l  presents  the 
probabilities  of  these  factors,  as  determined  from  Section  3.3. 


TABLE  C-l 

PROBABILITY  OF  FAKE-OUT  MANEUVER 
GIVEN  A  PROXIMATE  ENCOUNTER 


FACTOR  PROBABILITY 

VERTICAL  RATE  GREATER  THAN  1200  FPM  .12 

VERTICAL  SEPARATION  AT  CPA  BETWEEN 

500’  and  800’  .076 

HORIZONTAL  SEPARATION  AT  CPA  LESS 

THAN  .1  NAUTICAL  MILES  .0005 

PROFILE  CHANGE  IN  A0  SECOND  PERIOD  .125 


5.70  X  10"7  Probability 
of  Fake-out  Maneuver 


This  is  compared  with  other  results  in  Section  A. 2. 6. 
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APPENDIX  D 

TCAS  RESOLUTION  PERFORMANCE 

During  early  testing  of  TCAS  at  the  FAA  Technical  Center, 
procedures  included  responding  to  TCAS  alarms  on  most  flights. 
The  pilots  were  directed  to  respond  with  a  smooth  acceleration 
to  a  1000  feet  per  minute  escape  rate,  if  they  were  level.  If 
the  aircraft  was  already  in  a  steady  state  vertical  maneuver, 
they  were  to  attempt  to  increase  the  vertical  rate  by  500  feet 
per  minute,  if  the  RA  was  in  the  direction  of  the  current 
maneuver.  Post  flight  analysis  indicated  the  escape 
accelerations  averaged  1/8  g.  The  achieved  escape  rates  from 
level  flight  conditions  slightly  exceeded  the  goal  rate  of  1000 
feet  per  minute.  (Note:  It  is  now  envisioned  that  the  pilot 
will  escape  at  1500  fpm,  or  at  current  rate  if  that  exceeds 
1500  fpm.) 

During  testing  with  preplanned  encounters  the  Tau  value  used 
for  alarming  was  25  seconds.  The  vertical  threshold  for 
negative  Resolutions  Advisories  was  750  feet  for  all 
encounters.  The  predicted  vertical  separation  parameter  for 
positive  Resolution  Advisories,  ALIM,  was  either  340  or  440 
feet  depending  on  whether  the  TCAS  aircraft  was  above  or  below 
10,000  feet  MSL. 

Figure  D-l  depicts  the  CPA  conditions  which  resulted  following 
TCAS  alarms  requiring  a  pilot  response.  Included  are  all  level 
flight  encounters  which  resulted  in  positive  resolution 
advisories  and  encounters  with  negative  advisories  which  caused 
the  pilot  to  change  his  rate  or  direction  of  vertical 
movement.  The  squares  denote  cases  which  called  for  pilot 
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FIGURE  D-1 

CPA  CONDITIONS  FOLLOWING 
CORRECTIVE  RESOLUTION  ADVISORIES 


response  but  no  response  was  made  due  to  the  testing  procedures 
being  used  on  that  particular  flight. 

Figure  D— 1  indicates  a  high  proportion  of  the  vertical 
separations  concentrated  between  350  and  600  feet.  This 
reflects  the  achievement  of  sufficient  vertical  separation 
since  ALIM  was  either  340  or  440  feet  and  the  TCAS  aircraft 
could  then  return  to  level  flight.  Several  encounters  which 
resulted  in  Resolution  Advisories  were  planned  to  have  more 
than  2  nautical  miles  horizontal  separation  at  CPA.  The 
horizontal  distance  in  these  cases  is  off  scale  and  the  points 
are  not  included  in  Figure  D-l. 

Figure  D-2  presents  the  cumulative  distributions  of  vertical 
separation  following  TCAS  corrective  resolutions  when  both 
aircraft  were  in  level  flight.  For  the  cases  shown  in  Figure 
D-2,  65  percent  of  the  encounters  had  initial  vertical 
separations  of  300  feet  and  the  remaining  35  percent  had 
initial  vertical  separations  of  100  feet.  Slightly  larger 
vertical  separation  resulted  for  cases  when  ALIM  was  440  feet. 
Ninety-five  percent  of  the  encounters  resulted  in  vertical 
separation  exceeding  350  feet.  Vertical  separation  exceeded 
400  feet  90  percent  of  the  time. 

Encounters  in  which  the  TCAS  was  in  a  steady  state  climb  or 
descent,  and  the  intruder  was  level,  were  also  tested. 
Additionally,  the  roles  of  TCAS  and  the  intruder  were 
reversed.  The  steady  state  vertical  rates  tested  were  climbs 
and  descents  with  rates  of  either  500,  1000  or  2000  feet  per 
minute.  For  these  scenarios  the  planned  vertical  separation  at 
closest  point  of  approach  was  0  feet.  The  separation  results 
are  presented  in  Figure  D-3. 
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Probability  Vertical  Separation  Following  TCAS 
Alarm  Exceeds  X  Feet 


Probability  Vertical  Separation  Following  TCAS 
Alarm  Exceeds  X  Feet 


In  97  percent  of  the  encounters  the  resulting  vertical 
separation  exceeded  300  feet.  In  almost  90  percent  of  the 
encounters  vertical  separation  exceeded  500  feet  at  CPA.  The 
average  separation  and  the  90th  and  95th  percentile  separations 
were  slightly  larger  for  cases  where  TCAS  was  established  in  a 
climb  or  descent  and  the  intruder  was  level  at  the  time  of  the 
alarm. 


APPENDIX  E 

SCOPE  OF  LOGIC  TESTING  AT  THE  FAA  TECHNICAL  CENTER 


The  FAA  Technical  Center  has  performed  very  thorough  testing  of 
the  TCAS  Collision  Avoidance  Logic.  The  logic  testing 
activities  have  included  both  simulation  testing  of  the 
collision  avoidance  software  and  live  flight  testing  of  the 
collision  avoidance  logic  as  implemented  in  the  TCAS  hardware. 
Logic  testing  has  been  an  evolutionary  process.  In  later 
stages  of  logic  development,  changes  were  tested  by  replaying 
the  TCAS  surveillance  data  which  had  been  collected  on  previous 
TCAS  test  flights. 

Initial  testing  involved  the  tailoring  of  the  threat  volumes  to 
terminal  operation  characteristics.  The  Air  Traffic  Control 
Simulation  Facility  at  the  FAA  Technical  Center  was  configured 
to  represent  two  different  terminal  areas,  Chicago  (O'Hare), 
and  Knoxville,  Tennessee.  These  simulations  were  used  to 
develop  the  first  estimates  of  the  collision  avoidance  alarm 
rate.  The  result  of  this  testing  was  reported  in  References 
11,  12,  and  13. 


The  performance  of  the  collision  avoidance  logic  to 
satisfactorily  generate  separation  between  conflicting  aircraft 
was  evaluated  using  the  Fast  Time  Encounter  Generator  developed 
at  the  FAA  Technical  Center.  This  simulation  tool  permitted 
rapid  analyses  of  TCAS  performance  for  a  large  number  of 
preplanned  encounter  scenarios.  The  scenarios  included  Mode 
C-only  threats,  TCAS  equipped  threats,  and  multiple  intruders 
of  various  equipment  configurations.  Using  the  Fast  Time 
Encounter  Generator  logic,  sensitivity  to  several  parametric 
encounter  conditions  was  tested.  The  range  of  the  parameter 
conditions  are  listed  in  Table  E-l. 
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TABLE  E-l 

RANGE  OF  PARAMETRIC  CONDITIONS  EVALUATED 


ENCOUNTER  CONDITION  SAMPLE  PARAMETRIC  RANGE 

OWN  VELOCITY  150  to  550  knots  in  100  kn 

increments 

INTRUDER  VELOCITY  100  to  440  knots  in  50  kn 

increments 


OWN  VERTICAL  RATE  +3000,  +1500,  +1000,  +500  fpm 

and  level 

INTRUDER  VERTICAL  RATE  Same  as  OWN  Vertical  Rate 

VERTICAL  SEPARATION  AT  CPA  OWN  1000’  above  to  1000'  below 

intruder  at  CPA  in  increments 
of  100' 

HORIZONTAL  SEPARATION  AT  CPA  0  to  3  nmi  in  0.25  nmi  increments 

INTRUDER  VERTICAL  ACCELERATION  0.1,  0.25  and  0. 5  g 

TIME  OF  ACCELERATION  55  to  10  s  prior  to  CPA  in 

5  s  increments 

INTRUDER  HORIZONTAL  MANEUVERS  Half  standard  rate,  standard  rate 

and  twice  standard  rate  turns 

The  Fast  Time  Encounter  Generator  has  been  used  to  verify  logic 
performance  in  over  70,000  separate  encounter  scenarios.  The 
results  of  this  testing  is  described  in  References  35,  36,  37, 
and  38. 

Other  testing  has  identified  the  impact  of  error  degraded  range 
and  altitude  data  on  TCAS  performance.  The  ability  of  the  TCAS 
logic  to  perform  during  periods  of  high  track  coast  rates  (40% 
to  45%)  has  been  verified.  The  performance  the  TCAS  logic  in 
time  correlated  error  degraded  environment  is  discussed  in 
Reference  39. 
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The  results  of  the  TCAS  logic  performance  during  10  separate 
test  flights  has  been  thoroughly  reviewed.  The  test  flights 
were  conducted  in  Washington,  D.C. ,  Atlantic  City,  and 
Chicago.  The  flights  included  both  planned  encounters  and 
targets  of  opportunity.  Other  test  activities  have  involved 
in-depth  testing  of  specific  portions  of  the  TCAS  logic. 
Particular  emphasis  has  been  placed  on  vertical  tracking 
procedures.  Results  of  this  analysis  are  presented  in 
References  40  and  41. 
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APPENDIX  F 

FAILURE  MODE  AND  EFFECTS  ANALYSIS 

This  section  tabulates  failure  effects  of  portions  of  the  TCAS 
system.  The  perspective  is  "bottom-up,”  or  inverse  to  the  fault 
tree,  in  that  each  failure  is  studied  to  deduce  the  worst  possible 
effect  it  could  cause.  In  some  instances,  more  than  one  effect  is 
listed,  but  would  not  occur  simultaneously.  The  effects  are  stated 
in  the  form  "missed  RA,”  "incorrect  RA,"  etc.  An  examination  of  the 
fault  tree  shows  that  these  effects  can  combine  with  the  geometry  of 
an  encounter  and  other  factors,  and  may  lead  to  the  NMAC.  Of 
course,  effect  (e.g.,  "Incorrect  RA”)  does  not  necessarily  lead  to 
NMAC. 

The  TCAS  equipment  contains  a  Performance  Monitor  that  turns  the 
TCAS  system  off  if  a  failure  is  detected.  This  section  shows  the 
effects  of  undetected  failures.  The  level  of  hardware  failures 
described  is  the  functional  level. 

FAILURE  OF  SYSTEM  FUNCTIONS 

FAILURE  WORST  POSSIBLE  EFFECT(S) 

TCAS  Receiver  Totally  Fails  No  aircraft  tracked.  All  TA, 

RA  missed. 

Receiver  Sensitivity  Degrades  Late  or  intermittent  tracks. 

Late  TA,  RA. 


TCAS  Interrogator  Totally  Fails 


No  aircraft  tracked.  All  TA, 
RA  missed. 


Partial  Failure  of  Whisper-Shout 
Hardware 

Interrogator  Power  Degraded 

Processor  or  Memory 
RA  Display 
TA  Display 

Aural  Alarm 

Manual  Sensitivity  Level  Switch 


Antenna  or  Cables 

Partial  Failure  of  Directional 
Antenna  or  Angle  Receiver. 


Some  tracks  missed.  No  TA, 
RA.  Some  tracks  garbled. 

Late  TA,  RA. 

Late  or  intermittent  tracks. 
Late  TA,  RA. 

Missed  RA.  Incorrect  RA. 

Missed  RA.  Incorrect  RA. 

Missed  TA.  Incorrect  TA. 

Pilot  does  not  perceive 
advisory. 

Wrong  Sensitivity  Level 
selected.  Missed  RA  (Level  1 
or  2).  Unwanted  RA  (Level 
too  high) .  Late  RA  (Level 
too  low).  Missed  TA  (Level 
1). 

Same  as  receiver,  transmitter 

Incorrect  bearing  in  TA. 
Missed  TA,  RA.  Dropped 
tracks . 


MODE-S  TRANSPONDER  FAILURES 


FAILURE 

Receiver 

Transmitter 

INCORRECT 

INCORRECT  DATA 

Threat  Range,  Altitude 

Threat  TCAS-II  Equipage 
Threat  Crosslink  Request 

Threat  Mode-S  Address 


WORST  POSSIBLE  EFFECT(S) 

Own  TCAS  not  seen  by  Threat 
TCAS.  Maneuver  Coordination 
cannot  be  completed.  Ground 
Sensitivity  Level  Message  not 
received. 

Own  TCAS  not  seen  by  Threat 
TCAS.  Maneuver  Coordination 
cannot  be  completed. 

INPUT  DATA 

WORST  POSSIBLE  EFFECT(S) 

Missed  RA.  Incorrect  RA. 
Incorrect  position  on  TA.  No 
TA.  TA  not  displayed  due  to 
incorrect  low  priority. 

RA  not  coordinated. 

No  crosslink  sent. 

No  track.  Missed  RA. 


Threat  Sensitivity  Level 


Late  RA. 


Threat  Altitude  Reporting 
Status 

Threat  Bearing 

Own  Sensitivity  Level 

Sensitivity  Level  Command  From 
Mode-S 

Own  Magnetic  Heading 

Own  Barometric  Altitude 

Own  Radar  Altitude 

Own  Radar  Altitude  Missing 


Missed  RA.  No  altitude 
displayed  on  TA. 

Incorrect  position  on  TA. 

Same  as  Manual  Sensitivity 
Level  Switch. 

Same  as  Manual  Sensitivity 
Level  Switch 

Incorrect  bearing  sent  in 
crosslink. 

Incorrect  RA.  Missed  RA. 
Incorrect  relative  altitude 
in  TA. 

Wrong  sensitivity  level. 
Missed  or  late  TA,  RA. 
Threat  incorrectly  declared 
on  ground.  Missed  TA,  RA. 
"Descend"  RA  incorrectly 
converted  to  "Don't  Climb." 

RA  descends  TCAS  into 
terrain.  Unwanted  TA,  RA 
against  threat  on  ground. 
Wrong  sensitivity  level. 
Missed  or  late  TA,  RA. 


Own  Altitude  Rate 


Wrong  RA  (only  for  few 
seconds  when  TCAS 
initialized) . 


Coordination  data: 
Threat  ID 
LCK  bit 


Advisory  complement 


Uncoordinated  RA  selected. 
Coordination  with  third  TCAS 
may  be  delayed  0.1  second. 
Incorrect  RA  selected. 


Threat  Maximum  airspeed 


Late  track..  Late  TA,  RA. 


Mode-S  Threat  On-Ground 
Status 


Missed  TA,  RA.  Alarm  against 
threat  on  ground. 
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APPENDIX  G 

EXTENDED  BRANCHES  OF  THE  TCAS  FAULT  TREE 


There  are  20  events  in  the  fault  tree  which  are  TCAS-related  and 
which  are  treated  in  further  detail  here.  They  are  represented  in 
Figures  7-2  and  7-3  by  the  events  with  transfer  symbols  (triangles) 
beneath  them.  The  following  listings  are  a  tabular  form  of  these 
extended  branches.  To  avoid  excessive  duplication,  branches 
simlliar  to  others  are  not  shown;  reference  will  be  made  to  the 
branch  that  is  the  same  in  general  form.  Branches  were  written 
without  the  fault  parameters  being  explicitly  defined.  For 
instance,  altimetry  error  will  be  listed  as  a  cause  of  failing  to 
satisfy  threat  advisory  criteria,  but  the  exact  nature  of  that 
altimetry  error  (error  less  than  100',  for  example)  will  not  be 
listed.  This  allows  some  branches  on  the  unresolved  NMAC  side  of 
the  tree  to  double  as  branches  on  the  induced  NMAC  side  of  the  tree. 

The  following  pages  represent  the  extended  development  for  these 
faults: 

•  TCAS  Does  Not  Display  a  Traffic  Advisory  (Event  7-376) 

•  TCAS  Does  Not  Display  a  Resolution  Advisory  (Event  5-420) 

•  TCAS  Displays  a  Resolution  Advisory,  but  Not  in  Time  to 
Avoid  the  NMAC  (Event  5-430) 


•  TCAS  Displays  a  Resolution  Advisory  Which  the  Pilot  Does  Not 
Follow  (Event  5-440) 


•  TCAS  Displays  a  Resolution  Advisory  Which  is  Inadequate  to 
Avoid  the  NMAC  (Event  5-450) 

•  TCAS  Displays  a  Resolution  Advisory  Which  Will  Lead  to  NMAC 
(Event  6-670) 

•  Traffic  and  Proximity  Advisories  (If  Any)  Do  Not  Show  the 
Instruction/Maneuver  is  Incorrect  (Event  8-733) 

•  TCAS  Displays  a  Resolution  Advisory  Which  Would  Avoid  the 
NMAC  Except  that  the  Threat  Maneuvers  (Event  5-950). 

The  extended  development  of  some  other  faults  follows  that  of  one  of 
those  listed  above,  with  different  values  in  the  probabilities. 

These  faults,  along  with  the  ones  they  are  patterned  after  follows 
below: 

•  No  Traffic  Advisory  Is  Displayed  (Event  9-688)  -  Event  7-376 

•  Aircraft  That  Is  a  Threat  Is  Not  Displayed  (Event  9-725)  - 
Event  7-376 

•  TCAS  Is  Not  Displaying  a  Preventive  RA  Against  the  Maneuver 
(Event  6-745)  -  Event  5-420 

•  Aircraft  That  Is  a  Threat  is  Not  Displayed  (Event  8-794)  - 
Event  7-376 

•  Traffic  and  Proximity  Advisory  Shown  Does  Not  Show  the 
Instruction  Is  Incorrect  (Event  8-797)  -  Event  8-733. 


•  TCAS  Does  Not  Display  a  Resolution  Advisory  (Event  5-910)  - 
Event  5-420 

•  TCAS  Displays  a  Resolution  Advisory  but  Not  in  Time  to  Avoid 
NMAC  (Event  5-920)  -  Event  5-430 

•  TCAS  Displays  a  Resolution  Advisory  Which  the  Pilot  Does  Not 
Follow  (Event  5-930)  -  Event  5-440 

•  TCAS  Displays  a  Resolution  Advisory  Which  Will  Not  Avoid  the 
NMAC  (Event  5-940)  -  Event  5-450 

Extended  development  of  event  7-398  (Pilot  Did  Not  Avoid  NMAC  Based 
on  Information  Provided  By  the  TCAS  TA  Display)  and  event  8-771 
(Pilot  Selects  an  Inappropriate  Maneuver  Based  on  the  TCAS  TA 
Display)  was  not  done,  as  they  are  human  factors-dependent  faults. 

A  branch  for  event  5-960  (TCAS  Does  Not  Display  an  "Advisory  Not 
OK”)  was  not  completed*,  the  failure  rate  for  the  fault  was  assumed 
to  be  1.0. 

In  the  branches  that  follow,  events  are  assigned  a  decimal  fraction 
of  the  event  they  fall  under  (thus,  event  376.2111  is  a  sub-event  of 
event  7-376).  The  number  of  places  assigned  in  that  decimal 
fraction  indicates  how  far  down  in  the  development  the  sub-event 
is.  Any  sub-event  containing  the  full  decimal  of  another  (for 
example,  376.2111  contains  376.211,  376.21,  and  376.20)  is  a 
subevent,  or  cause,  of  that  event.  All  sub-events  are  connected  by 
OR  gates  unless  AND  is  specified. 


376  TCAS  does  not  display  a  traffic  advisory 

376.10  TCAS  unit  is  not  providing  Traffic  Advisories 

376.11  Self-monitor  shuts  down  TCAS  unit 

376.12  Sensitivity  level  set  such  that  no  TAs  are  provided 

376.121  Pilot  sets  sensitivity  level  manually 

376.122  Mode  S  ground  sensor  sets  sensitivity  level 

376.20  No  TA  inputs  are  provided  to  the  display 

376.21  No  traffic  advisory  is  generated  by  the  logic 

376.211  Inputs  do  not  satisfy  threat  criteria 

376.2111  Surveillance  does  not  provide  a  track  which 

passes  range  test 

376.21111  Surveillance  does  not  pass  adequate  track 

to  the  logic 

376.211111  Threat  is  non-Mode  C  aircraft 

376.211112  Surveillance  failure 

376.21112  Surveillance  fault  causes  incorrect 

range/range  rate  to  be  calculated 

376.2112  Altitude  reporting  causes  threat  not  to  be 

judged  a  threat 

376.21121  Threat  is  altitude-encoding  aircraft  AND 

376.21122  Threat  is  judged  not  to  be  threat  by 

altitude  tests 

376.211221  Threat  is  judged  to  be  on  ground 

376.211222  Threat  is  judged  to  pass 

with  >  ZTHR  separation 

376.212  Undetected  logic  design  flaw 

376.213  Logic  is  coded  incorrectly 

376.214  Processing  hardware  fails 

376.22  Processor  -  display  connectors  fail 

376.30  Display  limitation  prevents  display  of  threst 

376.31  Multiple  threats  cause  this  one  to  be  eliminated 

376.32  Intruder  overlaps  own-aircraft  symbol 
376.40  Other  function  preempts  display 

376.50  Display  hardware  fails 


420  TCAS  does  not  display  a  Resolution  Advisory 

420.10  TCAS  unit  is  not  providing  RAs 

420.11  Self-monitor  shuts  down  the  TCAS  unit 

420.12  Sensitivity  level  set  such  that  no  RAs  are  displayed 

420.121  Own  altitude  <  500  feet  AGL 

420.122  Pilot  selects  sensitivity  level  <  4  manually 

420.123  Mode  S  uplink  selects  sensitivity  level  <  4 

420.20  No  RA  inputs  are  provided  to  the  display 

420.21  No  RA  is  generated  by  the  logic 

420.211  Inputs  do  not  satisfy  RA  criteria 

420.2111  Surveillance  puts  threat  outside  corrective  RA 

position 

420.21111  Surveillance  does  not  pass  adequate  track 

to  the  logic 

420.211111  Threat  is  non-Mode  C  aircraft 

420.211112  Surveillance  failure 

420.21112  Surveillance  error  causes  incorrect 

range/range  rate  to  be  calculated 

420.2112  Altitude  reports  put  threat  outside  corrective 

RA  position 

420.21121  Altitude  errors  put  threat  on  ground 

420.211211  Uneven  terrain 

420.211212  Intruder  altitude  error 

420.211213  Own  Mode  C  altitude  error 

420.211214  Own  radar  altimeter  error 

420.21122  Altitude  errors  put  threat  in  non-threat 

position 

420.211221  Own  altitude  error 

420.211222  Intruder  altitude  error 

420.2113  Intruder  maneuver  causes  logic  to  delay  RA 

beyond  CPA 

420.212  Undetected  logic  design  flaw 

420.213  Logic  is  coded  incorrectly 

420.214  Processing  hardware  failure 

420.22  Processor-display  connectors  fail 
420.30  Display  is  preempted  by  other  function 
420.40  Display  hardware  fails 
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430  TCAS  displays  an  RA,  but  not  in  time  to  avoid  NMAC 

430.10  RA  is  delayed  beyond  time  when  maneuver  can  avoid  NMAC 

430.11  Conflict  was  created  late 

430.111  Own  aircraft's  motion  created  the  conflict 

430.112  Intruder  aircraft's  motion  created  the  conflict 

430.12  TCAS  was  enabled  to  issue  resolution  advisories  in  the  midst 

of  the  conflict 

430.121  Own  aircraft  in  a  conflict  when  TCAS  enabled  to  issue 

RAs  AND 

430.122  TCAS  enabled  to  issue  RAs 

430.1221  TCAS  was  just  turned  on  in  any  25  second  period 

430.1222  Own  altitude  increases  to  the  point  where  RAs 

are  enabled 

430.1223  Mode  S  ground  station  enables  RAs 

430.1224  Pilot  switches  sensitivity  level  to  enable  RAs 

430.13  TCAS  acquired  track  in  the  midst  of  a  conflict 

430.131  Own  aircraft  in  a  conflict  when  TCAS  acquired  track  AND 

430.132  TCAS  acquires  track  late 

430.1321  Aircraft  previously  judged  "on  ground"  now  judged 

"in  air” 

430.1322  Intruder  transponder  just  turned  on 

430.1323  Interference  -  limiting  feature  previously 

eliminated  threat 

430.1324  Intruder  motion  not  within  limits  expected  by 

Mode  S  surveillance 

430.1325  Surveillance  acquired  late 

430.14  Low  firmness  delays  RA 

430.141  Altitude  credibility  tests  rejected  reports 

430.1411  Noisy  surveillance  data 

430.1412  Stuck  Mode  C  bit 

430.1413  Intruder  acceleration  exceeds  that  expected 

430.142  Intruder  was  perceived  to  be  maneuvering 


440  TCAS  displays  a  Resolution  Advisory  which  the  pilot  does  not  follow 

440.10  Pilot  does  not  execute  the  RA  at  all 

440.11  Crew  does  not  perceive  RA  alarm 

440.111  Inadequate  alarm  design 

440.112  Crew  is  preoccupied 

440.12  Crew  does  not  believe  RA  is  correct 

440.13  Pilot  must  clear  his  airspace  before  maneuvering,  but  cannot 

440.131  Pilot  cannot  clear  his  airspace  due  to  visibility 

(IMC,  glaring  sun,  .  .  .) 

440.132  Pilot  can  clear  his  airspace  (good  VMC)  but  is  unable 

440.20  Pilot  executes  the  RA,  but  inadequately 

440.21  Pilot  stops  before  RA  is  removed 

440.22  Pilot  continues  beyond  point  RA  is  removed 

440.23  Pilot  delays  execution  beyond  time  allowed 


450  TCAS  displays  a  Resolution  Advisory  which  does  not  avoid  the  NMAC 

450.10  TCAS  is  not  shut  down  by  self-monitor  or  sensitivity  level  AND 

450.20  TCAS  generates  for  display  a  Resolution  Advisory  which  will 
not  avoid  the  NMAC 

450.21  Own  TCAS  generates  an  incorrect  RA 

450.211  RA  is  removed  before  aircraft  is  out  of  NMAC 

450.2111  RA  is  given  with  incorrect  sense  and  removed 

before  altitude  crossing  +100' 

450.2112  RA  is  given  with  correct  sense  and  removed 

before  aircraft  is  out  of  NMAC 

450.212  Standard  vertical  rate  is  insufficient  to  achieve 

100'  separation 

450.22  TCAS  receives  (via  coordination  link)  an  incorrect  RA 

complement 

450.221  Threat  is  TCAS-II  equipped 

450.222  Threat  generates  an  incorrect  RA 


G-8 


670  TCAS  displays  a  Resolution  Advisory  which  will  lead  to  NMAC 

670.10  TCAS  is  not  shut  down  by  self  monitor  or  sensitivity  level  AND 

670.20  TCAS  generates  for  display  an  RA  which  will  lead  to  NMAC 

670.21  Altitude  error  causes  wrong  sense  RA  which  leads  to  NMAC 

670.211  Wrong  sense  RA  is  choosen  AND 

670.212  Pilot  stops  following  RA  within  100  feet  of  threat 

670.2121  RA  is  removed  within  100  feet  of  threat  due  to 

altimetry  error 

670.2122  RA  is  removed  before  NMAC;  pilot  follows  it  until 

within  100'  of  threat 

670.2123  RA  is  removed  after  altitude  crossing;  pilot 

stops  following  it  within  100'  of  threat, 
before  it  is  removed 

670.22  C-bit  error  causes  incorrect  RA  to  be  generated 

670.23  RA  based  on  apparent  trajectory  is  thwarted  by  intruder 

maneuver 

670.24  False  track  causes  spurious  RA  which  leads  to  NMAC  with 

real  aircraft 

670.241  False  track  causes  spurious  RA  AND 

670.242  Spurious  RA  leads  to  NMAC  with  real  aircraft 


733  Traffic  and  proximity  advisories  do  not  show  the  instruction  is  incorrect 

733.10  TCAS  did  not  display  the  proximate  aircraft  own  will  maneuver  into 

733.11  No  proximity  advisory  inputs  are  provided  to  the  display 

733.111  No  TA  is  displayed 

733.1111  No  TA  should  be  displayed 

733.1112  No  TA  is  displayed  when  one  should  be 

(Continue  with  tree  for  event  376) 

733.112  TA  is  displayed  but  proximate  aircraft  is  not 

733.1121  No  proximity  advisory  should  be  displayed 

733.1122  Proximity  advisory  should  be  displayed  but  is  not 

733.11221  Inputs  do  not  satisfy  proximity  advisory 

criteria 

733.112211  Surveillance  does  not  pass  a  track  to 

the  logic  that  is  within  proximity 
range 

733.1122111  Surveillance  does  not  pass 

adequate  track  to  logic 

733.11221111  Threat  is  non-Mode  C 

aircraft 

733.11221112  Surveillance  failure 

733.1122112  Surveillance  provides  incorrect 

range 

733.112212  Altitude  reports  pass  a  relative 

altitude  that  does  not  satisfy 
proximity  criterion 

733.1122121  Threat  is  Mode  C  aircraft  AND 

733.1122122  Threat  is  judged  not  proximate 

733.11221221  Threat  is  judged  "on  the 

ground " 

733.11221222  Threat  is  judged  to  be 

1200'  away  vertically 

733.112 22  Undetected  logic  design  flaw 

733.11223  Logic  is  coded  incorrectly 

733.11224  Processing  hardware  fails 

733.1123  Display  limitation  prevents  display  of  the 

proximate  aircraft 

733.11231  Multiple  aircraft  cause  this  one  to  be 

eliminated 

733.11232  Proximate  aircraft  overlaps  own-aircraft 

symbol 

733.12  Display  hardware  failure 

733.20  Displays  shows  the  proximate  aircraft  but  in  the  wrong  location 

733.21  Displays  its  bearing  incorrectly 

733.22  Displays  its  range  incorrectly 

733.23  Displays  its  relative  altitude  incorrectly 


950  TCAS  displays  an  RA  which  would  avoid  NMAC  except  that  the  threat 
maneuvers 

950.10  Threat  maneuvers  after  RA  is  issued  and  neither  the  pilot  nor 
TCAS  corrects 

950.11  Threat  maneuvers  sufficient  to  counter  RA  AND 

950.12  Neither  the  pilot  not  TCAS  recognizes  situation  and  corrects 

950.121  Pilot  does  not  recognize  situation 

950.1211  Does  not  see  it  (visual) 

950.12111  IMC  (if  RAs  allowed  in  1MC) 

950.12112  Assumes  RA  o.k. 

950.12113  Cannot  acquire  threat 

950.1212  Does  not  see  it  from  TA  display 

950.12121  Not  monitoring  the  display 

950.12122  Display  does  not  show  it 

950.12123  Cannot  tell  that  display  shows  it 

950.1213  TCAS  does  not  tell  pilot  that  advisory  is  not 

adequate 

950.12131  TCAS  does  not  issue  "Advisory  not  OK" 

950.12132  Pilot  fails  to  perceive  alarm 

950.122  Pilot  becomes  aware  of  situation,  but  cannot  correct 

950.1221  Not  enough  time  to  maneuver 

950.1222  Cannot  devise  a  maneuver 

950.20  Other  aircraft  (different  than  threat)  involved  in  NMAC 


APPENDIX  H 

CALCULATION  OF  FAULT  TREE  PROBABILITIES  FOR  INTERMEDIATE  EVENTS 


In  Figure  7-5  of  Section  7,  the  probabilities  of  all  intermediate 
events  were  furnished  for  completeness.  As  man1/  events  in  the  tree 
are  not  independent  of  each  other,  the  calculations  of  their 
probabilities  do  not  proceed  in  a  straightforward  manner  (i.e.,  one 
cannot  simply  add  at  "OR"  gates  and  multiply  at  "AND"  gates).  This 
appendix  documents  the  means  by  which  the  intermediate  events  were 
estimated  for  the  000  Branch  of  the  tree  (Unresolved  NMAC). 

H.l  The  000  Branch  (Unresolved  NMAC) 

Figure  H-l  shows  the  reduced  000  branch  of  the  fault  tree.  The 
method  by  which  the  probability  of  event  3-300  was  obtained  is  shown 
in  Section  7;  in  this  appendix,  we  will  document  the  method  by  which 
the  probabilities  of  events  4-350,  4-410,  5-380,  6-390,  and  6-395 
were  obtained;  the  rest  of  the  events  with  probabilities  attached 
follow  the  straightforward  rules  for  "AND"  and  "OR"  gates. 

Events  6-390,  6-315,  and  5-3,80.  Because  all  gates  below  event  5-380 
are  "OR"  gates,  the  fault  tree  below  the  event  can  be  rearranged  so 
that  there  is  one  "OR"  gate  beneath  the  event  with  branches  to 
events  6-385,  7-391,  7-392,  7-396,  7-397,  and  7-398.  One  can  then 
proceed,  via  a  single  mathematical  operation  at  the  one  "OR"  gate, 
to  calculate  the  probability  of  event  5-380.  In  addition,  to 
facilitate  the  human  factors  analysis,  failure  events  7-392  and 
7-396  have  been  combined  into  a  single  event  with  failure 
probability  VNA.  One  should  also  note  the  failure  probability 
assigned  to  event  7-397  is  0.0.  As  a  consequence,  we  can  write  the 
set  expression  for  event  5-380  as 


(5-380)  =  (6-385)  U  (7-391)  U  (7-392,7-396)  U  (7-398) 


and  proceed  to  evaluate  the  probability  of  event  5-380. 

Event  5-380,  Pilot  Realizes  There  Is  a  Conflict  but  Does  Not 
Maneuver  Aircraft  So  as  to  Avoid  the  NMAC,  contains  a  precondition 
for  its  occurrence.  The  precondition  is  implied  by  the  words  "Pilot 
Realizes  There  Is  a  Conflict,"  which  is  the  opposite  event  to  5-355, 
Pilot  Does  Not  Realize  There  Is  a  Conflict.  Event  5-380  thus 
includes  the  requirement  that  a  TA  is  displayed  (the  opposite  of  the 
failure  comprising  event  5-355).  The  failure  mechanisms  listed 
below  event  5-380  are  developed  as  conditional  events;  i.e.,  they 
are  failures  given  the  presence  of  a  TA.  One  multiplies  these 
conditional  probabilities  by  the  probability  of  receiving  a  TA  in 
order  to  obtain  the  overall  probability  of  the  occurrence  of  event 
5-380. 

The  conditional  probabilities  of  the  events  below  5-380  are  obtained 
as  follows: 

•  Event  6-385  (Pilot  Cannot  Select  a  Maneuver) .  This  event 
is  the  occurrence  of  inadequate  visual  conditions.  Visual 
conditions  are  independent  of  the  presence  of  a  TA;  the 
conditional  probability  of  inadequate  visual  conditions 
given  the  presence  of  a  TA  is  thus  simply  the  probability 
of  inadequate  visual  conditions,  or  .30. 


•  Event  7-391  (Pilot  Has  Not  Visually  Acquired  the  Threat). 
Section  6  provides  the  probability  of  not  visually 
acquiring  a  threat  by  15  seconds  prior  to  CPA,  given  a  TA 
and  good  visual  conditions,  .17.  We  can  convert  this  to 
the  conditional  probability  of  no  visual  acquisition  given 


H-5 


r 


PREVIOUS  PAGE 
IS  BLANK 


a  TA  by  multiplying  by  the  probability  of  good  visual 
conditions  (1-.30,  or  .70)  to  obtain  the  result:  .12. 

•  Events  7-392  and  7-396,  Pilot  Does  Not  Avoid  NMAC  (or  is 
Too  Late)  Because  He  Visualized  the  Situation 
Incorrectly.  A  human  factors  failure  probability,  VNA, 
was  defined  as  the  probability  of  not  avoiding  the  threat 
given  the  threat  has  been  acquired.  The  probability  that 
the  pilot  does  not  avoid  the  threat  given  a  TA  is  this 
probablity,  VNA,  times  the  probability  of  visual 
acquisition  given  the  TA.  The  latter  probability  is  the 
probability  that  events  6-385  and  7-391  above  have  not 
occurred,  or  1  -  (.30  +  .12)  =  .58.  Thus,  the  probability 
of  acquiring  but  not  avoiding,  given  a  TA,  is  .58  (VNA). 

•  Event  7-398,  Pilot  Did  Not  Avoid  NMAC  Based  on  Information 
Provided  In  the  TCAS  TA  Display.  We  have  defined  a  human 
factors  failure  for  this  event,  TNA,  which  is  the 
probability  the  pilot  does  not  avoid  the  NMAC  due  to  a  TA 
and  is  conditional  upon  receiving  the  TA. 

These  four  probabilities  can  be  combined  to  obtain  the  conditional 
probability  of  event  5-380  given  the  presence  of  a  TA.  The  first 
three  events  (6-385,  7-391,  and  7-392/6)  are  mutually  exclusive; 
their  probabilities  can  be  summed  to  obtain  the  probability  of  any 
of  the  three  events  occurring,  or  .42  +  .58  (VNA).  The  fourth  event 
is  independent  of  the  first  three  (given  a  TA).  We  can  combine  it 
with  the  previous  three  events  under  the  rules  for  independence: 


(.42  +  .58  (VNA) )  +  TNA  -  [.42  +  .58  (VNA) ]TNA 


or 

.42  +  .58  (VNA)  +  .58  (TNA)  -  .58  (VNA) (TNA) 

Assuming  (VNA)  and  (TNA)  are  no  greater  than  0.1,  the  product  .61 
(VNA) (TNA)  will  be  at  least  two  orders  of  magnitude  lower  than  the 
rest  of  the  expression  and  will  be  neglected. 

This  is  the  conditional  probability  that  the  pilot  does  not  maneuver 
the  aircraft  given  the  presence  of  a  TA.  It  is  multiplied  by  the 
probability  of  receiving  a  TA,  .57,  to  produce  the  probability  of 
event  5-380,  or 

.24  +  .33  (VNA  +  TNA) 

Event  4-410.  Events  5-440  and  5-450  also  have  preconditions  for 
their  occurrence;  the  requirement  is  that  "TCAS  Displays  a 
Resolution  Advisory..."  We  have,  from  Section  5.1.5  and  Table  8-1, 
the  conditional  probability  of  event  5-450  (TCAS  Displays  an  RA 
Which  Is  Inadequate  to  Avoid  NMAC);  it  is  .011.  For  event  5-440 
(TCAS  Displays  a  Resolution  Advisory  Which  the  Pilot  Does  Not 
Follow),  the  human  factors  failure  rate  RNF  was  defined  as  the 
probability  of  not  following  an  RA,  given  one  is  present.  Multiply 
each  of  these  probabilities  by  the  probability  of  receiving  an  RA, 
(1-.41  =  .59),  to  obtain  the  overall  probabilities  of  each;  for 
5-440,  it  is  .58  RNF  and  for  5-450,  .0065.  Then  sum  the  four 
probabilities  of  events  5-420  through  5-450  to  produce  the 
probability  of  event  5-410,  or  .42  +  .58  (RNF). 
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APPENDIX  I 

CALCULATION  FOR  SENSITIVITY  ANALYSIS 


In  Section  8  a  sensitivity  analysis  was  performed  in  which  changes 
were  made  to  underlying  probabilities.  The  resulting  changes  in  the 
probability  of  event  2-000  (unresolved  NMAC)  and  event  2-500 
(induced  NMAC)  were  presented.  This  appendix  describes  the  means  by 
which  those  probabilities  were  calculated. 

Recall  from  Section  7  that  the  probability  of  the  top  event  is  the 
sum  of  the  probabilities  of  events  2-000  and  2-500.  In  turn,  the 
probability  of  event  2-000  is  that  of  3-300  (Pilot  Does  Not  Maneuver 
the  Aircraft  So  As  to  Avoid  NMAC  Based  on  His  Perception  (If  Any)  of 
the  Conflict);  the  probability  of  event  2-500  is  that  of  event  4-650 
(Pilot  Maneuvers  Aircraft  Because  of  Instruction  Provided  to  Him). 
The  probability  of  these  events  was  estimated  using  the  diagrams  of 
Figures  7-6  and  7-9.  In  this  appendix,  these  types  of  diagrams  will 
be  used  to  show  how  the  changes  in  probability  were  obtained.  For 
most  of  the  sensitivity  tests  (as  listed  in  Table  8-1),  a 
modification  of  Figures  7-6  and  7-9  will  be  provided  along  with  the 
description  of  how  they  have  changed. 

1.  Mode-C  Equipage 

The  first  sensitivity  test  changes  Mode  C  equipage  to  100%.  The 
diagrams  which  calculate  the  probabilities  for  events  3-300  and 
4-650  are  shown  in  Figures  1-1  and  1-2,  respectively.  Changed 
probabilities  are  highlighted  by  the  asterisks. 


Two  changes  can  be  seen  for  unresolved  NMACs  (Figure  1-1).  One  is 
that  the  probability  of  receiving  a  TA  has  increased  from  .57  to  .94 
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FIGURE  1-1 

PROBABILITY  OF  EVENT  3-300 
WITH  FULL  MODE-C  EQUIPAGE 
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(thus,  the  probability  of  not  receiving  a  TA  has  dropped  to  .06); 
also,  given  that  no  TA  was  received,  the  probability  of  not 
receiving  the  RA  drops  from  .953  to  .50.  The  result  is  an  overall 
lowering  of  the  probability  of  not  resolving  the  NMAC  to  3.5  percent 

This  is  accompanied,  however,  by  an  increase  in  induced  NMACs 
(Figure  1-2),  due  to  an  increase  in  the  probability  of  receiving  an 
RA  which  will  lead  to  a  critical  NMAC  (increased  from  .025  to 
.042).  The  result  is  an  increase  in  from  1.1  percent  to  1.8  percent 
for  the  probability  of  inducing  an  NMAC. 

2.  Surveillance  Failures 

This  sensitivity  test  measures  the  impact  of  a  change  in 
surveillance  failure.  The  diagrams  for  events  3-300  and  4-650  are 
shown  in  Figures  1-3  and  1-4.  Those  probabilities  that  change  show 
two  values;  the  first  is  for  improved  surveillance,  the  second  for 
degraded  surveillance. 

For  unresolved  NMACs,  two  sets  of  probabilities  change:  1)  The 
probability  of  receiving  a  TA  increases  by  .03  (or  decreases  by  .02) 
with  a  corresponding  decrease  (increase)  in  the  probability  of  not 
receiving  a  TA;  2)  Given  that  no  TA  has  been  received,  the 
probability  that  no  RA  is  received  increases  (decreases)  to  .99 
(.948). 


3.  Altimetry  Error 

This  sensitivity  test  measures  the  impact  of  a  20%  decrease  (or 
increase)  in  GA  altimetry  error.  The  diagrams  for  events  3-300  and 
4-650  are  shown  in  Figures  1-5  and  1-6. 
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For  both  unresolved  NMACs  (3-300)  and  Induced  NMACs  (4-650), 
altimetry  error  has  no  impact  on  the  probability  of  a  TA;  its  impact 
is  to  change  the  proportion  of  RAs  that  are  inadequate  to  avoid  NMAC 
from  .011  to  .004  (.027),  and  to  change  the  probability  of  receiving 
an  RA  which  will  induce  NMAC  from  .025  to  .0195  (.0391). 

4.  Maneuvering  Intruder  Hazard 

This  sensitivity  test  measures  the  impact  of  a  doubling  or  halving 
of  failure  probability  due  to  sudden  intruder  maneuvers.  This  does 
not  change  the  probability  of  an  unresolved  NMAC;  the  only  change  is 
for  event  4-650  (induced  NMAC).  The  means  by  which  it  is  calculated 
is  shown  in  Figure  1-7.  The  failure  rate  that  changes  is  the 
probability  of  receiving  an  RA  which  could  lead  to  an  NMAC. 

5.  Human  Factors  Failures 

In  this  sensitivity  test  we  have  quantified  the  human  factors 
failures  represented  as  variables  in  the  nominal  case.  A  failure 
rate  of  1  in  20  (.05)  was  tested  as  an  estimate  of  the  highest 
failure  rate  likely.  To  calculate  the  probabilities  associated  with 
these  failures,  the  variables  VNA,  TNA,  RNF,  VM1R,  and  TNA  are 
individually  replaced  with  .05,  multiplied  by  their  coefficients, 
and  summed  to  the  nominal  failure  rates. 

6.  Non-Mode  C  Tracking 

This  sensitvity  test  measures  the  impact  of  receiving  TAs  for  Mode  A 
aircraft.  This  only  changes  the  probability  of  an  unresolved  NMAC, 
It  does  not  increase  or  decrease  the  probability  of  an  induced 
NMAC.  The  diagram  for  event  3-300  is  shown  in  Figure  1-8.  The 
probability  of  receiving  an  RA  has  not  changed;  however,  the 
conditional  probabilities  of  receiving  an  RA  given  the  presence  of  a 
TA  are  lower,  reflecting  the  fact  that  no  RAs  are  being  provided  for 
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Mode  A  aircraft.  We  have  assumed  the  probability  of  visually 
acquiring  a  Mode  A  threat  on  near  collision  course  is  the  same  as 
that  of  a  Mode  C  threat. 


7.  Visual  Acauisition  Ineffective 


If  visual  acquisition  as  aided  by  the  TA  is  not  effective,  then  the 
only  improvement  that  can  be  made  in  resolving  NMACs  is  if  a  correct 
RA  is  issued.  Thus,  the  probability  of  event  4-410  (Pilot  Does  Not 
Avoid  NMAC  By  the  (Jse  of  a  TCAS  TA),  .42,  is  the  probability  that 
the  NMAC  is  not  resolved. 

Likewise,  without  visual  acquisition  it  is  assumed  that  an  incorrect 
RA  would  result  in  an  NMAC;  thus,  the  probability  of  event  5-660 
(Pilot  Is  Issued  an  Instruction  Which  Will  Lead  to  NMAC),  .025,  is 
the  probability  an  RA  will  lead  to  an  induced  NMAC. 

8.  Do  Not  Follow  RA  in  IMC 


The  impact  of  not  following  an  RA  in  IMC  is  that  in  lb%  of  NMAC 
encounters,  no  action  can  be  taken  to  resolve  the  NMAC  (visual 
acquisition  is  assumed  not  possible  and  no  TA  will  be  followed). 
However,  the  number  of  RAs  which  would  lead  to  an  induced  NMAC  is 
reduced. 


The  diagrams  for  these  cases  are  shown  in  Figures  1-9  and  1-10.  In 
1-9,  nominal  failures  are  multiplied  by  .84,  with  the  .16 
probability  of  being  in  IMC  contributing  directly  to  the  overall 
failure  probability,  as  shown  at  the  bottom  of  the  figure.  In  1-10 
however,  we  have  removed  from  the  failures  for  induced  NMACs  those 
that  would  have  occurred  in  IMC,  as  shown  by  the  l^cr.  of  shading  in 
the  right  column  on  the  row  where  IMC  occurs. 
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FIGURE  MO 

PROBABILITY  OF  EVENT  4-650 
WITH  NO  RAs  FOLLOWED  IN  IMC 


9.  Exponential  Altimetry  Error  Distribution 

This  sensitivity  test  measures  the  impact  of  the  assumption 
that  altimetry  errors  are  Gaussian.  In  this  test,  we 
recomputed  the  probability  of  receiving  an  RA  inadequate  to 
avoid  an  NMAC  (from  .011  to  .023)  and  of  receiving  an  RA  which 
will  induce  an  NMAC  (from  .025  to  .035).  The  diagrams  for 
events  3-300  and  4-650  are  shown  in  figures  1-11  and  1-12. 
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APPENDIX  J 

GEOMETRIES  LEADING  TO 
ALTITUDE  CROSSING  ADVISORIES 


This  Appendix  discusses  the  features  of  TCAS  logic  to  support 
the  analysis  of  Section  5.2.2  which  determines  for  which 
encounters  TCAS  is  potentially  faked  out  by  the  intruder’s 
maneuver.  The  threat’s  relative  altitude  and  altitude  rate 
determine  the  action  taken  by  the  TCAS  logic. 

Figure  J-l  shows  regions  of  different  Detection  and  Resolution 
performance  to  the  threat's  relative  altitude  (A)  and  altitude 
rate  (ADOT)  at  the  time  of  sense  selection.  Every  track  falls 
into  one  of  these  regions.  TCAS  is  assumed  level.  The  lines 
on  the  figure  are  shown  for  the  low-altitude  region  where  Tau  = 
25  seconds,  ALIM  =  340  ft  and  ZTHR  =  750  ft.  For  higher 
altitudes,  the  figure  would  appear  similar,  but  scaled  slightly 
differently  (e.g.,  some  diagonal  regions  would  be  wider). 

First,  this  figure  will  be  discussed  to  identify  the  regions  in 
which  an  altitude-crossing  sense  is  selected;  the  fake-out 
scenario  can  occur  only  in  such  a  region.  The  bottom 
half-plane  denotes  the  threat  diverging  vertically,  ADOT  GT  0. 
For  tracks  in  region  1  ((A  +  ADOT  *  Tau)  GT  ZTHR),  no  advisory 
is  given,  since  the  projected  separation  exceeds  the  Vertical 
Miss  Distance  threshold.  For  tracks  in  region  2  (0  LT  (A  + 
ADOT  *  Tau)  LT  ZTHR) ,  the  sense  that  reinforces  the  separation 
is  selected.  In  the  top  half-plane,  ADOT  is  less  than  zero. 
Region  3  ((A  +  ADOT  *  Tau)  GT  ZTHR)  corresponds  to  sufficiently 
large  vertical  separation  (VMD  greater  than  ZTHR)  so  that  no 


FIGURE  J-1 

SUSCEPTIBILITY  OF  TCAS  TO  FAKE-OUT 


advisory  is  ever  given.  Even  if  the  threat  later  converges  at 
a  higher  rate,  the  advisory  will  surely  begin  in  region  4.  For 
tracks  in  region  4  (0  LT  (A  +  ADOT  *  Tau)  LT  ZTHR  and  A  GT 
ZTHR) ,  vertical  Tau  is  still  above  the  alarm  threshold,  so  that 
no  alarm  is  generated  at  the  "usual"  time  of  range  Tau  passing 
its  threshold  (-(R-DM0D)/RD0T  LT  TRTHR) .  In  this  sense  the 
advisory  is  "late",  but  no  suggestion  of  decreased  safety  is 
meant.  A  threat  initially  in  region  4  will  later  satisfy  the 
altitude  Tau  threshold  and  cause  a  non-crossing  sense  to  be 
selected. 

For  tracks  in  region  5  (0  LT(A  +  ADOT  *  Tau)  LT  ZTHR  and  A  LT 
ZTHR) ,  an  immediate  alert  is  selected.  The  low  convergence 
rate  gives  the  projected  VMD  the  same  sign  as  current 
separation.  This  causes  a  non-crossing  sense  to  be  selected. 

For  tracks  in  region  6  (-ZTHR  LT  (A  +  ADOT  *  Tau)  LT  0),  the 
threat  is  projected  to  cross  through  TCAS'  altitude  by  closest 
point  of  approach.  Therefore,  an  altitude  crossing  sense  is 
selected.  This  region  is  discussed  further  below.  For  tracks 
in  region  7  ((A  +  ADOT  *  Tau)  LT  -ZTHR),  the  threat  is 
projected  to  cross  through  TCAS*  altitude,  and  pass  vertically 
by  more  than  ZTHR.  Therefore,  the  Vertical  Miss  Distance  test 
also  eliminates  this  alert,  unless  the  range  is  close  enough 
that  the  Horizontal  Miss  Distance  test  keeps  the  alarm.  In 
this  case,  the  Critical  Interval  Logic  should  force  a 
non-altitude-crossing  sense.  In  the  interest  of  upper-bounding 
the  fake-out  probability,  this  analysis  will  assume  that  no 
alert  is  given  in  region  7. 

Region  6  is,  therefore,  the  one  leading  to  altitude  crossings.  \ 

r 

In  some  of  these  cases,  an  intruder  could  potentially 
"fake-out"  the  TCAS.  Region  6  may  be  further  analyzed  to 
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relate  altitude  crossings  to  fake-out  cases.  When  the  relative 
altitude  is  small  at  initial  alarm  time  (A  less  than  about  500 
ft;  to  the  left  of  the  wavy  line),  an  intruder  level-off  cannot 
leave  the  intruder  at  TCAS’  final  altitude  since  TCAS  attempts 
to  achieve  a  separation  of  ALIM,  nominally  340  ft  for  the  25 
second  lau  shown.  If  the  intruder  made  such  a  level-off,  TCAS 
would  cross  through  the  intruder's  altitude  despite  the 
"wrong-way"  sense. 

The  rest  of  region  6  can  be  divided  into  two  subregions.  When 
the  Vertical  Miss  Distance  (VMD)  is  less  than  ALIM,  a  positive 
advisory  is  generated.  This  is  labeled  subregion  6A  (-ALIM  LT 
(A  +  ADOT  *  Tau)  LT  0).  When  VMD  is  more  than  ALIM  but  less 
than  ZTHR,  a  negative  advisory  is  generated.  This  is  subregion 
6B  (-ZTHR  LT  (A  +  ADOT  *  Tau)  LT  -ALIM).  In  this  subregion, 
the  advisory  does  not  tell  the  pilot  to  change  altitude.  If 
the  intruder  executes  the  "fake-out"  level-off,  the  advisory 
briefly  strengthens  to  positive,  but  soon  changes  to  "Advisory 
Not-OK".  (In  simulations  with  1/4  g  level-off,  the  positive 
was  displayed  only  3  seconds.)  With  this  sequence,  the  TCAS 
aircraft  is  unlikely  to  displace  significantly  toward 
the50ntruder'8  final  altitude.  Thus,  this  case  does  not  lead 
to  a  critical  NMAC,  although  the  initial  sense  choice  later 
becomes  wrong.  It  is  thus  concluded  that  the  geometry 
combinations  labeled  region  6A  constitute  the  potential 
fake-out  scenarios. 


J-4 


APPENDIX  K 

AIRCRAFT  ALTIMETRY  DATA 

This  appendix  identifies  altimetry  systems  and  their 
performance  for  two  "classes"  of  these  systems:  Air  Data 
Computer  (ADC)  corrected  altimetry  systems,  as  found  on  air 
carrier  aircraft,  and  baseline,  or  uncompensated,  altimetry 
systems,  typical  of  general  aviation  (GA)  aircraft.  The 
altimetry  systems  of  interest  here  are  those  arrangements  of 
pneumatic,  mechanical,  or  electrical  devices  which  sense  the 
ambient  air  pressure  about  an  aircraft  in  flight  and  which 
transduce  that  pressure  to  either  an  altitude  input  to  TCAS  or 
to  a  Mode  C  altitude  code  as  reported  by  an  onboard  air  traffic 
control  (ATC)  transponder.  The  concern  here  is  with  reported 
altitude;  flight  technical  error  and  indicated  altitude  error 
will  not  be  considered. 

Altimetry  system  performances  are  presented  in  statistical 
terms  by  identifying  standard  deviations  of  the  output  of 
system  elements  and  of  the  total  system.  The  estimated 
standard  deviations  are  combined  using  the  root-sum-square 
(RSS)  methodology.  The  predicted  accuracies  of  subelements  are 
combined  this  way  to  estimate  the  accuracies  of  system 
elements,  which  are  further  combined  to  derive  the  accuracy  of 
the  total  system. 

An  altimetry  system  can  be  divided  into  three  major  elements 
consistent  with  system  functions.  The  major  elements  are: 

1.  The  static  system 

2.  The  transducer 

3.  The  quantizer  (or  Mode  C  encoder) 


These  major  elements  then  have  associated  with  them  error 
components  as  shown  in  Figure  K-l. 

These  error  components  are  common  to  all  altimetry  systems  but 
will  be  discussed  only  with  reference  to  the  two  classes 
identified  above.  Technically  both  classes  are  controlled  by 
the  Federal  Aviation  Regulations  and  associated  standards 
(References  14-17).  However,  investigation  of  the  standards 
and  regulations  for  altimetry  systems,  plus  observations  of 
levels  of  equipage ,  indicate  that  the  altimetry  performances  of 
the  two  are  generally  governed  by  different  standards. 
Specifically,  the  ADC  corrected  altimetry  systems  often  provide 
altimetry  data  in  conformance  with  the  performance  standards 
specified  in  the  AR1NC  Characteristics  for  Air  Data  Systems 
(Reference  lb-22).  Baseline  altimetry  system  equipment,  on  the 
other  hand,  is  controlled  primarily  by  the  Federal  Aviation 
Regulations  (FARs)  and  is  found  primarily  among  GA  aircraft. 

K.l  Performance  of  a  Selected  Class  of  Air  Data  Computer 
(ADC)  Corrected  Altimetry  Systems 
The  altimetry  accuracies  estimated  in  this  section  pertain 
primarily  to  ADC  corrected  altimetry  systems  in  air  carrier 
aircraft.  Studies  of  air  carrier  aircraft  reveal  that  many 
are  equipped  with  at  least  one  air  data  computer  (ADC).  Many 
ADCs  provide  altimetry  error  correction.  (Note  that  not  all 
aircraft  equipped  with  an  ADC  provide  the  error  correction 
function,  some  ADCs  provide  only  an  autopilot  capability. 

Also,  it  is  important  to  realize  that  some  aircraft  without  ADC 
corrected  altimetry  provide  altimetry  accuracies  equiva¬ 
lent  to  those  in  which  ADC  corrections  of  static  source  error 
are  provided.  Additionally,  some  aircraft  are  equipped  with  a 
static  defect  correction  module  that  compensates  for  static 
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system  errors  in  the  same  manner  as  an  ADC,  and  that  provides 
a  comparable  level  of  performance.)  The  ADCs  generally 
conform  to  or  can  meet  various  ARINC  Air  Data  Systems  (ADS) 
characteristics,  providing  different  degrees  of  accuracy  and 
system  performance.  Some  aircraft,  although  not  the  majority 
of  them,  are  still  equipped  with  the  Kollsman  Integrated 
Flight  Instrumentation  System  (KIFIS).  From  available 
information  on  the  KIFIS  (References  23  and  24),  it  appears 
that  they  exhibit  characteristics  not  unlike  those 
standardized  by  the  ARINC  545  ADS  Characteristic. 

The  estimates  in  this  report  of  ADC  corrected  altimetry  system 
component  errors  are  based  on  an  altimetry  system  as 
characterized  by  ARINC  Characteristic  545.  This  is  the  first 
of  the  ARINC  characteristics  for  ADSs  and,  from  an  informal 
survey  of  the  industry,  is  the  one  to  which  most  ADC-equipped 
aircraft  conform.  Also,  it  is  the  least  rigorous  in  system 
accuracy  requirements,  the  later  ADS  characteristics  requiring 
better  performance.  Several  error  components  not  covered  by 
this  characteristic  will  be  drawn  from  other  sources. 

K.1.1  Static  Source  Error 


Static  source  error  is  comprised  of  the  following  component 
sources  of  errors: 

1.  Angle-of-attack  effects 

2.  Mach  effects 


3.  Calibration 


4.  Aircraf t-to-aircraf t  static  source  variability 
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Error  correction  as  provided  by  an  ADC  can  be  expected  to 
reduce  the  overall  error  of  the  aircraft's  static  source, 
particularly  in  cases  where  the  uncompensated  error  is  as 
large  as  100  feet  or  greater.  Among  errors  that  are  not 
compensated  are  those  associated  with  the  calibration  of  the 
static  source  both  at  certification  and  thereafter,  and  the 
aircraf t-to-aircraf t  variability  in  static  source  performance 
due  to  non-uniformities  in  aircraft  structure,  installation, 
and  airframe  aging.  Errors  contributed  by  angle  of  attack  are 
also  usually  uncompensated,  although  such  compensation  can  be 
provided  and  is  provided  on  later  model  aircraft. 

Mach  effects  are  compensated  by  the  ADC  through  the  use  of  a 
static  source  error  correction  curve.  This  curve  provides  an 
appropriate  error  correction  based  on  Mach.  Based  on  aircraft 
flight  profiles  and  performance  envelopes,  it  represents  a 
"fair"  or  "best  fit"  error  approximation  drawn  from  tests 
conducted  at  the  time  of  aircraft  certification. 

The  static  system  "deviation"  error  includes  the  expected 
offset  errors  from  the  calibrated  static  source  error 
attributable  to  calibration  errors,  production  tolerances,  and 
in-service  degradation  of  the  static  system.  The  magnitude  of 
static  system  deviation  error  has  been  estimated  here  by 
taking  data  from  tests  of  air  carrier  aircraft  (Reference  25) 
and  comparing  it  to  what  is  suggested  by  past  studies  and 
measurements  regarding  altimetry  systems  (Reference  26). 
Available  data  indicates  that  the  expected  bandwidth  of  the 
deviation  from  the  approved  error  correction  curve  is 
approximately  0.9  percent  of  the  impact  pressure.  The  error 


distribution  was  assumed  to  be  uniform  between  the 
given  bandwidth  limits.  This  assumption  of  uniformity 
provided  the  basis  for  approximations  of  error  bandwidths  at 
selected  altitudes  and  Mach  using  derived  impact  pressures. 
These  bandwidth  limits  were  then  divided  by  the  square  root  of 
12  to  give  the  standard  deviation  of  the  static  source 
deviation  error  as  shown  in  Table  K-l.  (Note  that  at  the 
altitudes  of  35,000  and  40,000  ft,  the  Mach  figures  tend  to 
exceed  what  may  be  considered  a  representative  cruise  Mach. 
This  was  intentional  and  should  merely  serve  to  make  the  error 
estimates  more  conservative.) 

As  mentioned,  the  ADC  provides  a  static  source  error 
correction  consistent  with  the  correction  curve  derived  from 
flight  test  measurements  of  a  particular  aircraft  type.  This 
curve  is  generally  represented  by  discrete  data  points  that 
can  be  "programmed"  into  the  ADC.  Since  accurate  error 
correction  is  largely  dependent  on  the  "slope"  of  the  error 
correction  curve,  that  is  the  gradient  of  the  error  correction 
versus  Mach  curve,  the  number  of  discrete  data  points  used  in 
the  correction  is  usually  increased  where  the  curve's  slope  is 
the  steepest.  The  ADC  outputs  a  correction  based  on  the 
discrete  data  points  providing  an  interpolation  of  the 
intermediate  values.  From  information  obtained  through 
informal  conversations  with  ADC  manufacturers,  it  appears  that 
a  reasonable  level  of  expected  performance  of  an  ADC  is  error 
correction  to  within  +  20  ft  of  the  approved  correction  curve 
at  any  given  point.  This  error  is  taken  as  the  extreme  values 
of  a  uniform  distribution,  which  implies  that  the  standard 
deviation  of  the  static  source  error  correction  residual 


TABLE  K-l 

ESTIMATED  STANDARD  DEVIATION  IN  STATIC  SOURCE  ERROR  AS  A 
FUNCTION  OF  MACH  AMONG  SELECTED  ADC  CORRECTED  ALTIMETRY  SYSTEMS 


1  MACH 

STATIC  SOURCE  DEVIATION 
(FT) 

1  .51 

28 

1  .56 

32 

1  .60 

37 

1  .64 

42 

1  .69 

47 

1  .73 

52 

1  .78 

56 

1  .82 

62 

1  .87 

70 

is  12  ft  (40  divided  by  the  square  root  of  12)  as  shown  in 
Table  K-2  under  the  S.S.E.C.  column. 

The  final  variable  to  be  included  in  this  assessment  is 
angle  of  attack.  This  variable  influences  the  total  static 
source  error  but,  as  indicated  from  informal  conversations 
with  airframe  manufacturers,  is  not  compensated  in  most  ADC 
equipped  aircraft.  Here,  however,  it  will  be  addressed 
since  it  appears  to  be  a  significant  component  of  the  static 
source  error.  Information  that  has  been  obtained  informally 
from  manufacturers  has  resulted  in  the  estimates  shown  in 
Table  K-2. 

For  a  properly  designed  system,  pneumatic  lagB  should  result 
in  no  more  than  a  10  ft  error  in  the  pressure  altitude  input 
to  the  transducer,  even  at  vertical  rates  up  to  5000  feet 
per  minute.  (See  Reference  28.)  Given  this  small  error  and 
the  likelihood  that  the  aircraft  will  exhibit  virtually  no 
such  error  for  the  greatest  part  of  their  flights,  it  is  not 
included  in  the  computation  of  total  system  errors. 

Table  K-2  also  gives  the  total  estimate  of  the  standard 
deviation  of  ADC  compensated  static  source  accuracy.  This 
estimate  was  derived  by  taking  the  root-sum-square  of  the 
component  errors  since  they  are  judged  to  be  independent. 

As  can  be  seen,  the  static  source  error  standard  deviation 
is  expected  to  be  of  significant  magnitude,  particularly  at 
high  altitudes. 
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TABLE  K-2 

ESTIMATED  STANDARD  DEVIATION  IN  TOTAL  STATIC  SYSTEM 
PERFORMANCE  AMONG  SELECTED  ADC  CORRECTED  ALTIMETRY  SYSTEMS 


K.1.2  Transducer  Error 

The  next  area  of  interest  is  transducer  error.  Referring  again 
to  Figure  K-l,  it  can  be  seen  that  transducer  error  is  due  to 
the  imperfect  conversion  of  pressure  into  mechanical  movement. 
This  conversion  error  is  comprised  of  a  number  of  components. 
The  AR1NC  545  document  gives  a  table  of  altitude  accuracies 
which  are  two  sigma  (95  percent)  values.  These  accuracies  have 
been  used  here  with  intermediate  values  being  determined 
through  a  linear  interpolation.  Here,  also,  the  one  sigma 
values  are  used  as  shown  in  Table  K-3.  The  error  components 
accounted  for  by  the  ARINC  accuracy  requirements  include 
friction,  hysteresis,  threshold  sensitivity,  repeatability,  and 
test  equipment  errors. 

K.1.3  Quantizer  (Mode  C)  Error 

The  final  errors  to  be  considered  are  those  associated  with 
Mode  C  altitude  reporting.  Figure  K-2  shows  the  components  of 
error  and  their  meaning.  The  ARINC  545  Characteristic  has  no 
specific  requirement  for  Mode  C  encoding  error.  However,  later 
characteristics  require  a  two  sigma  encoding  error  limit  of  15 
ft.  This  requirement  is  seen,  for  instance,  in  the  ARINC  565 
ADS  standard  which  essentially  is  the  545  document  with 
"no-options"  for  interfacing  with  peripheral  devices.  The 
encoding  error  standard  deviation  (one  sigma)  is  thus  assumed 
to  be  8  ft. 

In  addition  to  the  encoder  error,  there  is  the  100  foot 
quantization  used  in  Mode  C  which  causes  the  report  to  be  in 
error  by  50  ft  at  the  encoder  transition  points  even  where 
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The  quantization  error  is  fixed  at  50  ft  by  the  Mode  C 
code.  Encoding  error  is  introduced  when  the  center  of 
encoding  interval  does  not  fall  at  an  even  100  ft  of 
transducer  altitude  output. 


FIGURE  K-2 

MODE  C  ENCODING  AND  QUANTIZATION  ERRORS 


there  is  no  encoding  error.  Quantization  error  is  uniformly 
distributed  and  results  in  a  standard  deviation  of  29  ft  (100 
divided  by  the  square  root  of  12). 


The  encoding  and  quantizing  errors  are  independent.  When  they 
are  root-sum-squared  to  determine  the  total  error  standard 
deviation,  the  result  is  30  ft,  and  is  shown  as  such  in  Table 
K-4. 


K.1.4  ADC  Corrected  Altimetry  System  Total  Error 
Table  K-4  shows  the  computed  errors  for  static  source, 
transducer.  Mode  C  quantizer,  and,  in  the  two  right-most 
columns,  the  estimated  standard  deviation  of  total  altimetry 
system  error  computed  using  the  root-sum-square  method.  This 
error  budget  is  intended  to  represent  a  general  estimate  of  the 
standard  deviation  in  altimetry  system  accuracy  for  air  carrier 
aircraft  of  the  U.S.  fleet  with  ADC-corrected  altimetry. 

K.1.5  Altimetry  Error  Estimates  for  Specific  Airframes 
RTCA  SC-147  asked  several  aircraft  manufacturers  to  assess  the 
feasibility  of  the  air  carrier  quality  error  budget.  Two 
manufacturers  supplied  "worst  case”  altimetry  system  error 
budgets  for  several  airframes  and  kinds  of  altimetry 
equipment.  These  are  specified  at  5000  ft  intervals  for 
Douglas  aircraft,  and  above  and  below  15,000  ft  for  Lockheed 
aircraft.  Table  K-5  presents  this  data.  The  first  two  columns 
show  altitude  and  the  three  standard  deviation  (99.7  percent 
probability)  budget  as  taken  from  the  previous  section.  It  is 
seen  that  the  table  entries  are  below  the  budget  values. 
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TABLE  K-4 

ESTIMATED  STANDARD  DEVIATON  IN  TOTAL  ALTIMETRY  SYSTEM 
PERFORMANCE  AMONG  SELECTED  ADC  CORRECTED  ALTIMETRY  SYSTEMS 


is  200  feet 


K.2  Performance  of  Baseline  Altimetry  Systems 


The  baseline  altimetry  system  performance  usually  pertains  to 
systems  that  are  likely  to  be  found  aboard  GA  aircraft.  These 
aircraft  generally  have  mechanical  transducers  with  no  internal 
or  external  correction  devices.  Often,  the  mechanisms  for 
encoding  altitude  for  Mode  C  reports  is  contained  in  a  totally 
separate  transducer  called  a  "blind"  encoder.  The  only  link 
between  the  altimeter  and  the  blind  encoder  is  the  common 


static  system.  Other  aircraft  may  be  found  to  be  equipped  with 
an  encoding  altimeter.  Some  high  performance  aircraft,  such  as 
jets  do  have  the  added  feature  of  static  defect  correction 
(SDC)  which  can  greatly  improve  altimeter  and  Mode  C  accuracy. 
(The  SDC  provides  an  ADC  type  of  error  correction  function.) 

An  SDC  module  is  expensive  (on  the  order  of  $7,500  or  more)  and 
its  application  thus  far  is  generally  limited  to  high 
performance  and  high  cost  aircraft.  The  following  estimates  of 
error  magnitudes  are  based  on  systems  not  employing  SDC  modules. 

In  addition  to  Inferring  altimetry  performance  from  the 
pertinent  regulations,  a  survey  of  aircraft  manuals,  and  a 
survey  of  manufacturers  as  described  above,  a  set  of  measure¬ 
ments  was  made  in  1975.  Here,  the  actual  altitudes  of  45  GA 
aircraft  were  repeatedly  measured  at  4500  and  8500  foot 
altitudes  and  compared  to  the  reported  values,  thus  measuring 
total  error  (Reference  30).  To  generate  meaningful  statistics, 
these  error  measurements  were  converted  by  an  approximate 
method  to  the  single  altitude  of  4500  ft  (Reference  31). 

K.2.1  Static  Source  Error 

For  the  low  performance  aircraft  that  generally  incorporate  a 
baseline  altimetry  system,  the  static  source  error  components 
considered  are  the  following:  calibrated  static  source  error, 
static  source  deviation,  and  angle  of  attack  errors. 
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To  estimate  a  representative  calibrated  static  source  error  for 
GA  aircraft,  the  readily  available  error  correction  charts  were 
examined  and  records  made  of  the  observed  worst  case  errors. 

Then,  to  be  conservative,  it  was  assumed  that  these  errors 
characterized  the  limiting  values  of  a  uniform  error 
distribution.  From  these  uniform  distributions,  the  standard 
deviation  was  found  through  dividing  the  total  error  bandwidth  by 
the  square  root  of  12.  The  second  column  in  Table  K-6  shows  the 
estimated  standard  deviations  of  static  error  at  various 
altitudes.  It  is  noted  that  AI)C  or  SDC  corrected  altimetry 
systems  should  perform  considerably  better. 

Table  K-6  also  shows  the  estimates  of  the  expected  deviations 
from  the  calibrated  static  source  errors  and  includes  calibration 
errors,  production  tolerances,  and  overall  aircraf t-to-aircraf t 
variability  in  static  source  performance.  There  was  little 
information  available  on  aircraf t-to-aircraf t  variability  in 
static  system  performance  either  within  model  lines  or  on  the 
basis  of  aircraft  age.  Therefore,  the  figures  shown  were  drawn 
from  a  staightforward  multiplication,  by  1.25,  of  the  air  carrier 
standard  deviations. 

Angle  of  attack  errors  are  also  shown  in  Table  K-6.  Angle  of 
attack  does  contribute  to  the  error,  although  the  contribution  is 
usually  not  of  great  significance,  given  the  low  airspeeds  and 
weight  limitations  of  GA  aircraft.  Error  magnitudes  associated 
with  angle  of  attack  effects  are  included  to  be  conservative  and 
are  based  primarily  on  information  offered  by  manufacturers. 

Some  substantiating  evidence  for  the  given  figures  can  be 
extracted  from  pilot's  manuals  for  high  performance  GA  aircraft 
where  error  deviation  with  gross  weight  is  illustrated  by  the 
correction  charts.  On  several  high  performance  GA  aircraft. 


TABLE  K-6 

ESTIMATED  STANDARD  DEVIATION  IN  TOTAL  STATIC  SYSTEM 
PERFORMANCE  AMONG  BASELINE  ALTIMETRY  SYSTEMS 


SL 

1 

1  69 

35 

5  K 

1  84 

40 

10  K 

1  95 

46 

15  K 

1  109 

52 

20  K 

1  121 

59 

25  K 

1  135 

65 

30  K 

1  147 

70 

35  K 

1  161 

78 

40  K 

1  173 

1 

88 

several  such  charts  are  provided  each  showing  the  required 
correction-versus-airspeed  for  differing  gross  weights  (angles 
of  attack).  The  given  deviation  with  gross  weight  can  be  used 
to  determine  angle  of  attack  effects. 

The  last  column  of  Table  K-6  shows  the  total  static  system 
standard  deviation  which  was  derived  using  the  RSS  method. 

K.2.2  Transducer  Error 

As  shown  in  Figure  K-l,  the  transducer  error  is  due  to  the 
imperfect  conversion  of  pressure  to  mechanical  movement.  The 
estimations  of  transducer  error  for  a  fully  mechanical 
altimeter  are  derived  in  part  from  the  FAR,  Part  43,  Appendix 
E.  The  accuracies  shown  here  are  based  on  the  scale  and 
hysteresis  error  limits  shown  in  the  FAR.  These  error  limits 
are  assumed  in  each  case  to  represent  the  three  sigma  error 
limits.  The  standard  deviation  for  these  two  combined  errors 
was  then  calculated  as  the  RSS  of  the  specified  error  limits 
divided  by  three. 

Another  error  source  considered  was  transducer  calibration 
accuracy.  From  available  information  (Reference  2b),  it 
appears  that  these  errors  shall  fall  within  approximately  0.005 
in  Hg  at  sea  level  (5  ft)  and  within  0.003  in. Hg  at  70,000  ft 
(50  ft).  These  values  were  assumed  to  represent  the  error 
standard  deviations  with  intermediate  values  being  derived 
through  a  linear  interpolation. 

The  error  standard  deviations  shown  in  Table  K-7  were  derived 
by  the  RSS  combination  of  the  standard  deviations  of  both  the 
FAR  requirements  and  the  calibration  accuracies  at  each  given 
altitude. 
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TABLE  K-7 

ESTIMATED  STANDARD  DEVIATION  IN  TRANSDUCER  PERFORMANCE 
AMONG  BASELINE  ALTIMETRY  SYSTEMS 


i  1 

ALTITUDE  (MSL) 

STANDARD  DEVIATION 

(FEET) 

(FEET) 

SL 

26 

5  K 

29 

10  K 

38 

15  K 

45 

20  K 

52 

25  K 

61 

30  K 

69 

35  K 

77 

40  K 

1 

86 

All  aircraft  must,  as  a  minimum,  meet  the  requirements  of  FAR 
Part  91.36.  This  regulation  requires  that  the  quantized 
altitude,  as  used  in  the  Mode  C  altitude  report,  correspond  to 
the  indicated  altitude  to  within  +  125  ft  on  a  95  percent  (two 
sigma)  probability  basis  at  the  time  of  equipment 
installation.  The  indicated  altitude,  in  this  case,  is  as 
corrected  to  29.92  in. Hg.  Using  this  requirement  as  an 
indicator  of  actual  performance  gives  a  standard  deviation  of 
63  ft  (one  sigma)  at  all  altitudes. 

Recently,  a  new  FAR  Mode  C  test  has  been  established  that 
requires  a  bi-annual  check  of  Mode  C  correspondence  to 
indicated  altitude  for  aircraft  flown  under  instrument  flight 
rules  (IFR) .  The  operational  limits  to  correspondence  error 
are  +  300  ft.  If  ATC  sees  an  error  of  this  magnitude,  they  may 
request  that  the  Mode  C  report  be  turned  off. 

K.2.4  Baseline  Altimetry  System  Total  Error 
Table  K-8  shows  the  computed  standard  deviations  for  static 
source,  transducer,  and  quantizer  errors.  In  addition,  the  two 
right  hand  columns  show  the  standard  deviations  for  total 
system  error  using  the  RSS  method.  This  error  budget  is 
intended  to  represent  the  nominal  standard  deviation  in 
baseline  altimetry  system  accuracy,  primarily  among  GA  aircraft 
of  the  U.S.  fleet. 

As  noted  earlier,  a  limited  set  of  measured  data  is  available 
for  GA  altimeters  (References  30  and  31).  This  information 
(converted  to  4500  ft  altitude)  showed  a  standard  deviation  in 
indicated  altitude  of  68  ft,  considerably  less  than  the  99  ft 
shown  in  Table  K-8  at  5000  ft  altitude.  This  implies  less 
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TABLE  K-8 

ESTIMATED  STANDARD  DEVIATON  IN  TOTAL  ALTIMETRY  SYSTEM 
PERFORMANCE  AMONG  BASELINE  ALTIMETRY  SYSTEMS 


ALTITUDE  (MSL) 
(FEET) 

T 

1 

1 

1 

1 

STATIC  I 

SOURCE  |  TRANSDUCER 
1 

"I 

I  QUAN.- 
1  (MODE  C) 

1 

“1 

|  TOTAL  STD. 

1  W/O  Mode  C 

1 

DEV.  (FT.) 
W/Mode  C 

SL 

T 

1 

r 

78  I 

26 

1 

I  63 

1 

I  82 

104 

5  K 

1 

95  | 

29 

1  63 

I  99 

118 

10  K 

1 

109  1 

38 

1  63 

1  115 

132 

15  K 

1 

125  I 

45 

1  63 

1  132 

147 

20  K 

1 

140  | 

52 

1  63 

I  149 

162 

25  K 

1 

155  1 

61 

1  63 

1  166 

178 

30  K 

1 

168  | 

69 

1  63 

1  182 

192 

35  K 

1 

165  1 

77 

1  63 

1  200 

210 

40  K 

1 

i 

200  1 

1 

86 

1  63 

1 

1  218 

1 

227 
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static  error  than  is  predicted,  at  least  for  that  sample.  On 
the  other  hand,  the  measurements  also  show  a  standard  deviation 
in  reported  altitude  of  111  ft  (at  4500  ft  altitude).  This  is 
close  to  the  118  ft  shown  in  Table  K-8  at  5000  ft  altitude. 

The  implication  is  that  while  the  static  error  is  less  than 
predicted,  the  quantization  (encoding)  error  is  greater,  ending 
up  with  nearly  the  same  results  in  reported  altitude. 
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VISUAL  ACQUISITION  OF  ATC  ADVISORIES 


This  appendix  discusses  the  differences  between  the  visual 
acquisition  probabilities  calculated  in  Section  6.5  and  visual 
acquisition  experience  in  the  ATC  system  today.  It  explains  why  it 
is  misleading  to  compare  current  experience  with  ATC  traffic 
advisories  to  the  results  found  in  Section  6.5.  It  also 
demonstrates  that  the  model  gives  results  consistent  with  current 
experience  if  it  is  properly  applied. 


In  Section  6.5,  the  visual  acquisition  probabilities  are  computed 
for  a  two-man  crew  searching  with  the  aid  of  a  TCAS  traffic 
advisory.  The  probability  of  acquisition  by  15  seconds  to  collision 
is  computed  (assuming  a  zero  horizontal  miss  distance).  The 
acquisition  probability  is  greater  than  the  average  value  for  visual 
acquisition  today  for  the  following  reasons: 


1.  The  bearing  provided  by  the  TCAS  TA  is  two  or  three  times 
more  accurate  than  the  bearing  provided  by  ATC. 


2.  ATC  often  provides  advisories  for  traffic  which  never 
approaches  closer  than  2  or  3  miles.  This  long-range 
traffic  is  harder  to  acquire  than  traffic  which  approaches 
to  within  15  seconds  of  collision. 


3.  ATC  often  provides  advisories  at  ranges  of  4  to  5  miles. 
For  small  aircraft,  this  is  too  soon  for  productive  visual 
search.  Even  if  the  aircraft  later  comes  close  enough  to 
be  more  easily  acquired,  the  bearing  has  often  changed  or 
the  search  effort  of  the  crew  has  diminished. 


In  order  to  compare  the  model  predictions  to  current 
experience,  the  model  should  be  applied  under  assumptions  which 
more  closely  reflect  the  manner  in  which  ATC  traffic  advisories 
are  used.  As  an  example,  let  us  make  the  following  assumptions 

1.  The  model  parameter  p  which  describes  visual  search 
performance  with  the  aid  of  an  ATC  traffic  advisory 
will  be  70,000/sec  (single  pilot).  This  is  half  the 
value  for  a  TCAS  traffic  advisory  and  reflects  the 
fact  the  decreased  accuracy  of  the  ATC  advisory 
requires  the  crew  to  search  an  angular  area  which  is 
two  or  three  times  greater  than  with  TCAS.  It  will  be 
assumed  that  two  crew  members  search  so  that  the 
effective  p  value  is  140,000  for  time  periods  in  which 
both  crew  members  are  searching. 

2.  The  ATC  traffic  advisory  is  given  at  4  nmi  before 
closest  approach. 

3.  The  crew  devotes  half  of  the  30  second  period 
following  the  receipt  of  the  advisory  to  visual 
search.  The  acquisition  probability  is  computed  at 
the  end  of  this  30  second  period.  This  assumption  is 
intended  to  reflect  the  fact  that  as  the  time  passes 
the  search  effort  of  the  crew  diminishes  and  the 
bearing  of  the  intruder  tends  to  change,  making  visual 
acquisition  less  likely. 

4.  The  intruder  has  a  visible  area  of  70  square  feet 
(assumed  constant  for  purposes  of  calculation). 

Actual  visual  areas  for  small  aircraft  range  from  20 
to  120  square  feet. 


For  unaccelerated  flight  the  range  to  the  target  is  given  by 
the  expression 

m  ,  2  .  ,22x1/2 

r  ■  (m  +  V  t  ) 

where  m  is  the  horizontal  miss  distance,  V  is  the  relative 
speed  of  the  intruder,  and  t  is  the  time  to  closest  approach. 
The  probability  of  acquisition  is  then  given  by  the  expression 

T  PA  /  Vtl 

P  [acquisition]  *  1.  -  exp  -  jarctan  — —  -  arctan 

where  A  is  the  target  visible  area,  t^  is  the  time  at  which 
search  begins,  and  t^  is  the  time  at  which  search  ends  (all 
times  being  measured  relative  to  the  time  of  closest 
approach.)  If  the  miss  distance  approaches  zero,  this 
expression  reduces  to  the  familiar  expression  used  in  the 
safety  study: 


P  [acquisition] 


tl  fc2 
tlt2 


The  visual  acquisition  probabilities  which  result  are  provided 
in  Table  L-l  for  a  combination  of  relative  speeds  and  miss 
distances. 


TABLE  L-l 

PREDICTED  PROBABILITY  OF  VISUAL  ACQUISITION  WITH 
ATC  TRAFFIC  ADVISORIES  (EXAMPLE) 


HORIZONTAL  MISS  DISTANCE 


RELATIVE  SPEED 

1  1 

1  0.0  nml  I 

1  t 

1.0  nmi 

T 

1 

1 

2.0  nmi 

T 

1 

1 

3.0  nmi 

120  Knots 

i  1 

1  0.28  | 

| 

0.26 

T 

1 

i 

0.22 

~T 

1 

1 

0.17 

240  Knots 

1  0.39  | 

1  | 

0.33 

1 

1 

i 

0.27 

1 

1 

0.15 

360  Knots 

1  1 

1  0.64  | 

i  t 

0.51 

1 

1 

1 

0.23 

i 

1 

1 

0.16 

The  average  probability  of  acquisition  for  this  example  is  around 
30  percent,  much  lower  than  the  model  predictions  which  are 
appropriate  for  use  in  NMAC  geometries.  The  acquisition 
probability  would  be  greater  if  the  examples  were  elaborated  to 
include  acquistion  which  occurs  more  than  30  seconds  after  the 
traffic  call.  The  acquisition  probability  would  go  down  if 
altitude-unknown  traffic  advisories  were  included  or  if  cases  of 
greatly  restricted  meterologlcal  visbility  were  added. 

The  example  demonstrates  that  the  visual  acquisition  model 
employed  in  this  study  is  not  necessarily  Inconsistent  with 
stated  experience  with  ATC  traffic  advisories. 
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APPENDIX  M 

UNITED  AIRLINES  RISK  DATA 


From  records  kept  by  United  Airlines  (UAL) ,  and  made  available  for 
this  study,  it  is  possible  to  estimate  the  average  risk  of 
encountering  a  critical  near  midair  collision. 

Over  the  period  of  January  1980  to  July  1983  the  UAL  fleet  logged 
2,922,500  flight  hours.  They  also  recorded  any  near  midair 
collisions  that  their  pilots  reported,  noting  the  altitude  at  which 
they  occurred  and  often  the  estimated  vertical  or  horizontal 
separation  at  closest  approach.  From  this  data,  all  reports 
occurring  at  less  than  500  ft  AGL  were  removed,  to  correspond  to  a 
similar  provision  that  is  built  into  TCAS.  For  those  incidents 
where  relative  altitude  was  estimated,  approximately  25  percent  were 
noted  to  come  within  100  ft  vertically;  and  there  were  a  total  of  60 
incidents.  For  those  incidents  where  horizontal  miss  distance  was 
estimated,  22  out  of  23  cases  were  reported  within  500  ft.  From 
this  information,  the  risk  of  encountering  a  critical  near  midair 
collision  is  estimated  to  be: 

(60  x  .25)  (22/23)72,922,500  -  4.9  x  10-6  per  hour. 


APPENDIX  N 

ACRONYMS  AND  ABBREVIATIONS 

A/C  -  Air  Carrier 
ADC  -  Air  Data  Computer 
ADS  -  Air  Data  Systems 
AGL  -  Above  Ground  Level 

ALIM  -  Altitude  threshold  for  corrective  resolution  advisories 
ARINC  -  Aeronautical  Radio,  Inc. 

ATARS  (IPC)  -  Automatic  Traffic  Advisory  and  Resolution  Service 
(Intermittent  Positive  Control) 

ATC  -  Air  Traffic  Control 

ATCRfiS  -  Air  Traffic  Control  Radar  Beacon  System 

BCAS  -  Beacon  Collision  Avoidance  System 

CAS  -  Collision  Avoidance  System 
CPA  -  Closest  Point  of  Approach 
CRT  -  Cathode  Ray  Tube 

DoD  -  Department  of  Defense 

FAA  -  Federal  Aviation  Administration 
FAR  -  Federal  Aviation  Regulations 

GA  -  General  Aviation 

HMD  -  Horizontal  Miss  Distance 


IFR  -  Instrument  Flight  Rules 

ILS  -  Instrument  Landing  System 

IMC  -  Instrument  Meteorological  Conditions 

IPC  -  See  ATARS 

KIFIS  -  Kollsman  Integrated  Flight  Instrumentation  System 

LCK  bit  -  Coordination  Lock  subfield  used  in  TCAS-to-TCAS 
coordination 

MOPS  -  Minimum  Operational  Performance  Standard 
MSL  -  Mean  Sea  Level 

NASA  -  National  Aeronautics  and  Space  Administration 
NMAC  -  Near  Midair  Collision 
NMI  -  Nautical  Miles 

RA  -  Resolution  Advisory 
RSS  -  Root-Sum-Squares 

RTCA  -  Radio  Technical  Commission  for  Aeronautics 

SDC  -  Static  Defect  Correction 
SS  -  Static  Source 

SSEC  -  Static  Source  Error  Correction 
SSR  -  Secondary  Surveillance  Radar 

TA  -  Traffic  Advisory 

TCAS  -  Traffic  Alert  and  Collision  Avoidance  System 
TCAS  I  -  Version  of  TCAS  giving  minimal  warnings 
TCAS  II  -  Version  of  TCAS  giving  resolution  advisories 
TEU  -  TCAS  Experimental  Unit 
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